Android fans get fat November security patch bundle – if the networks or mobe makers are kind enough to let 'em have it

Google today pushed out the November edition of its monthly Android security updates, giving carriers and device makers a fresh set of patches to install. Fingers cross the patches are rolled out to you ASAP.

The November bulletin contains fixes for three remote code execution flaws as well as a number of information disclosure and elevation of privilege vulnerabilities in various core components of Android.

The three RCEs, two rated "critical" risks (CVE-2018-9527, CVE-2018-9531) and one rated "high" (CVE-2018-9521), were all found within the Android media framework. If exploited by, say, a booby-trapped video or received multimedia message, malicious code within the material could be executed with sufficient privileges to spy on the phone's owner and cause other mischief. Two elevation of privilege bugs (CVE-2018-9536, CVE-2018-9537) in the media framework were also classified as critical security risks.

The Android system component was the subject of six CVE bug entries, each for information disclosure flaws that, if successfully exploited, would give a remote attacker the ability to view user data that would normally only be visible to local apps.

Perhaps the most impressive part of the patch was the section outlining the 18 different CVE-listed security vulnerabilities that were reported in the Libxaac media library. In fact, Google said that it would be essentially booting Libxaac from Android going forward, changing its status to "experimental" and leaving it out of any future production builds of Android.

Beyond the basic Google patch level (2018-11-01) release, that fixes bugs in the core components of Android, the bundle also address another 17 CVE-listed vulnerabilities in various Qualcomm components used in Android phones.

The details of those vulnerabilities was not listed, as Qualcomm prefers to describe the flaws in its own security documents. Google does, however, note that three of the bugs (CVE-2017-18317, CVE-2018-5912, CVE-2018-11264) have been classified as "critical" security risks.

Though Google puts out the Android security patches each month, the job of actually getting the fixes to end users falls on the telcos and/or device manufacturers themselves. Those partners can, to put it mildly, vary in their ability to green light and release the patches in a timely fashion – one Reg staffer has a year-old device that hasn't seen a proper security update since August of 2017 despite it running Android 7.0.

Google has the ability to apply some security fixes to handhelds directly, via the Google Play Store application, bypassing the manufacturers and telcos. However, low-level patches require approval from said device makers and carriers. Supported Google-branded devices should at least get all their necessary updates immediately.

There are also the usual defense mechanisms within Android, such as ASLR and the Google Play Store malware scanners, that will try to defeat any exploits or malicious apps targets these vulnerabilities, while you wait for them to be patched.

Bonus: Apple graciously decides to stop bricking Watches

Apple, a phone and watch seller known to dabble in personal computers every couple years, has kicked out yet another update to its watchOS.

The 5.1.1 update will address one particular issue in particular: the nasty tendency that last week's 5.1 release had to brick some watches upon installation. Apple also said that the update will address problems with the Walkie-Talkie app and a bug in the Activity awards software. ®