Google has emitted the August edition of its Android software security updates.
This month's fixes include one remote-code-execution bug (CVE-2020-0240), present in the Android Framework. Google warns that the bug "could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process," though isn't being exploited... yet.
That flaw was the only remote-code-execution bug present in the 01 level of the security patch bundle. This is the most basic version of Android updates, only addressing the core components of the OS.
Elevation-of-privilege flaws were the most common issue elsewhere this month. Three such vulnerabilities were patched in the Media Framework (CVE-2020-0241, CVE-2020-0242, CVE-2020-0243), two in the Android System files (CVE-2020-0108, CVE-2020-0256) and two in Framework (CVE-2020-0238, CVE-2020-0257). These can be used by rogue apps to commandeer more of the device.
Also earning the "high" risk designation in the Android Framework were a trio of information-disclosure flaws (CVE-2020-0239, CVE-2020-0249, CVE-2020-0258) and a denial-of-service condition (CVE-2020-0247). A pair of information-leaking flaws were also patched in the Android System files (CVE-2020-0248, CVE-2020-0250). This is all minor stuff but could prove more serious if chained to other flaws.
Is it Patch Blues-day for Outlook? Microsoft's email client breaks worldwide, leaves everyone stumpedREAD MORE
Those who have phones or tablets that use Qualcomm components (aka, most of us) will also get the 05 level fixes for six other vulnerabilities, all considered critical. Of these, five (CVE-2019-10562, CVE-2019-10615, CVE-2019-13998, CVE-2020-3619, CVE-2020-3667) are in closed-source components and therefore not detailed by Google, though the critical designation usually means remote code execution.
The other critical bug, CVE-2020-11116, is a buffer overflow in the Qualcomm WLAN component for Android gear. It is one of four CVE-listed vulnerabilities in WLAN this month, the other three (CVE-2020-11115, CVE-2020-11118, CVE-2020-11120) all being classified as high security risks. That suggests CVE-2020-11116 could be exploited over a wireless network to achieve code execution on a victim's device.
Qualcomm's closed-source gear was by far the most-patched part of Android this month. In addition to those five critical patches, another 22 CVE-listed vulnerabilities were patched in what Google classified as 'High' risk issues.
Also included in the 05 patch are fixes for three flaws in the Android Kernel, two elevation-of-privilege (CVE-2020-0255, CVE-2020-12464) and one information-leaking bug (CVE-2019-16746). MediaTek components, specifically the Multimedia Processing Driver, accounted for three elevation-of-privilege bugs (CVE-2020-0252, CVE-2020-0253, CVE-2020-0260) and two information-disclosure flaws (CVE-2020-0251, CVE-2020-0254).
Google made no mention of any of the bugs being actively targeted in the wild, which is good news.
Those running Google-branded devices should be able to get the security updates now, while everyone else will need to wait on their respective hardware vendor or carrier to get around to validating and releasing the patches. Which could be now, next week, next month, next quarter, or never, depending on your situation.
This month could be a particularly busy one, in terms of patching, as both the Black Hat and DEF CON conferences are set to kick off online this week, and both tend to bring about high-profile bug disclosures. ®