Google today posted a fresh round of Android security fixes.
The July update addresses a total of 33 CVE-listed vulnerabilities, nine of them classified as critical risks.
At the basic 2019-07-01 level, a dozen bugs are addressed. Five of those would allow for remote code execution if exploited; three (CVE-2019-2106, CVE-2019-2107, CVE-2019-2100) in the Android media framework, while another (CVE-2019-2105) is in Android Library and the fifth (CVE-2019-2105) is found in the System. All would be triggered by opening a specially-crafted file.
Of the remaining CVEs, five (CVE-2019-2104 in Framework and CVE-2019-2116, CVE-2019-2117, CVE-2019-2118 and CVE-2019-2119 in System) are for information disclosure bugs and two (CVE-2019-2112, CVE-2019-2113) are elevation of privilege vulnerabilities.
The 01 level patches are the minimum required level for Android device makers and service providers. Those needing patches for additional components (such as for Qualcomm components) will get the 2019-07-05 patch bundle.
This month, the 05 level consists of fixes for 21 flaws, all in Qualcomm software. Those, in turn, are divided into two groups: eight CVE entries for open-source components and 13 entries for closed-source products where Qualcomm does not provide specific information on the nature of the flaw or the exact component.
It is with a heavy heart that we must report that your software has bugs and needs patching: Microsoft, Adobe, SAP, Intel emit security fixesREAD MORE
Ten of the closed-source component CVEs were for issues rated as High security risks; generally this means things like elevation of privilege and information disclosure flaws. Another three were classified as critical, which usually means a remote code execution vulnerability that requires little to no user interaction to exploit.
Of the open source Qualcomm fixes, two (CVE-2019-2308 in DSP_Services and CVE-2019-2330 in Kernel) were classified as critical. The other six were labeled high severity and were found in WLAN Host (CVE-2019-2276, CVE-2019-2307), WLAN Driver (CVE-2019-2305), HLOS (CVE-2019-2278), and Audio (CVE-2019-2326, CVE-2019-2328).
Those using Google branded devices, such as supported the Pixel phones, should be able to get the July updates shortly, while others will need to wait for their device maker or service provider to get the patches for their gear.
If available, admins will likely want to test and install the patches before July 9th, when things will get a bit busier thanks to Microsoft, Adobe, and SAP all delivering their monthly Patch Tuesday bundle of security fixes. ®