Critical 'remote escalation' flaw in Android 12 fixed in Feb security patch batch
This is the final software update from Google for the Pixel 3, 3 XL, too
The February edition of Google's monthly Android security update tackles, among other vulnerabilities, an eyebrow-raising critical flaw in Android 12.
That bug, CVE-2021-39675, is present in the mobile OS's System component, and can be abused to achieve remote escalation of privilege without the user needing to do anything at all, and "with no additional execution privileges needed," as Google cryptically put it.
The web giant hasn't revealed much more info about the vulnerability, though it referenced a source-level change in Android's wireless NFC code that brings in an additional check to make sure a size parameter isn't too large. You can now imagine how this is a "remote escalation of privilege" bug that needs no user interaction to exploit.
Presumably Google doesn't want to go too much into detail at this stage as it's in the middle of rolling out its patches.
This February security patch batch marks the final official update for Google's Pixel 3 smartphones, which launched in October 2018, which is like a century ago for the internet goliath. As this documentation states, the Pixel 3 and Pixel 3 XL will "no longer receive Android version updates and security updates."
The Pixel 3 line did get a small update in January to fix the Microsoft Teams emergency call screw-up. As widely reported, though, this month's security bundle is the last software update from Google for the handhelds.
As well as CVE-2021-39675, there are five high-severity vulnerabilities patched by Google in the System component, ranging from elevation-of-privilege flaws in Android 11 and 12 to a denial-of-service in Android 10 and 11.
There are also five high-severity holes in Android's Framework component, which can be exploited seemingly by malicious apps to gain elevated privileges. Those bugs have links to source-level patches that go into more detail. Then there's four high-severity vulns in Media Framework, and two MediaProvider programming blunders fixed via Google Play system updates.
These flaws are addressed in the 2022-02-01 update bundle. There's a separate set of patches, dated 2022-02-05, that close a high-severity hole in System; a high-severity hole in Amlogic's Fastboot component; five high-severity bugs in MediaTek code; three in Unisoc code; and 10 high-severity and one critical in Qualcomm code. Your device will only need these hardware-specific patches if it has the relevant chipset.
There are an additional four bugs patched for Pixel handsets only: two high-severity issues with the devices' camera and battery functions, and two moderate-level issues involving kernel-level Qualcomm code.
Owners of Google Pixel phones will be among if not the first to be offered these updates to download and install, and other handset manufacturers will hopefully follow suit soon after. Android's patching landscape is a little non-trivial, though there are efforts to streamline it.
Basically, check for system updates and install them once they are available, if they haven't already been pushed to your gadget. Source-level patches for these security holes have been released to the Android Open Source Project.
- Microsoft manages a mere 51 security fixes for February update bundle
- Open-source Kubernetes tool Argo CD has a high-severity path traversal flaw: Patch now
- Remote code execution vulnerability in Samba due to macOS interop module
- Sophos: Log4Shell would have been a catastrophe without the Y2K-esque mobilisation of engineers
There are, by the way, plenty of alternative flavors of Android out there, notably LineageOS, which supports hundreds of devices, and its commercially-backed variant /e/OS, which we've looked at before, but even the 249 devices it supports only constitute a small slice of the vast profusion of gear out there.
Most other downstream Android variants support far fewer models: GrapheneOS, the successor to the older Copperhead OS, supports just a dozen models of Pixel, as does CalyxOS. ®