This article is more than 1 year old
It's that time again: Android kicks off June's patch parade with fixes for five hijack holes
Updates are on the way… if you have a Google device, at least
Google has released its June bundle of security vulnerability patches for Android, with fixes for 22 CVE-listed flaws included.
This month's update, including eight critical fixes, includes patches to close up four confirmed remote code execution vulnerabilities. Google says none of the bugs have been targeted in the wild, yet.
Those with Google-branded devices like the Pixel phone line will get the update directly from the Chocolate Factory, while others will need to rely on their vendor or carrier to test and deploy the fixes.
At the basic patch level for all Android devices, users will get fixes for 11 vulnerabilities, four of which are classified as critical remote code execution flaws. Those bugs, if exploited, would allow an attacker to execute commands and install software on the device with little to no user interaction or notification.
Three of the remote code flaws are found in the Android media framework and would be triggered by opening a specially crafted file (such as an image or movie.) Two of the bugs, CVE-2019-2093 and CVE-2019-2095 are only present in Android 9, while CVE-2019-2094 is also found in Android 7.0, 7.1.1, 7.1.2, 8.0, 8.1. A fourth media framework bug, CVE-2019-2096, allows elevation of privileges and is present in versions dating back to 7.0.
A remote code execution flaw was also patched in the Android System component. That bug, CVE-2019-2097, allows arbitrary code execution as a privileged process by way of a poisoned PAC file. The bug was found in versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9. Three other bugs in the System, CVE-2019-2102, CVE-2019-2098, and CVE-2019-2099 are present in versions 7.0 and up and would allow elevation of privilege if exploited.
The Android framework was on the receiving end of three bug fixes for CVE-2019-2090, CVE-2019-2091, and CVE-2019-2092. Those vulnerabilities would all allow elevation of privilege by a local application, meaning the bad guy would already need to be running code on your machine and privilege escalation would be the least of your worries.
Those Android device owners whose vendor or carrier have decided they need the next level will get patches for an additional 11 CVE-listed flaws, nine of which are found in various Qualcomm components.
The Android framework will see a fix for CVE-2018-9526, an information disclosure flaw in Android versions 7.0-9, while the Android kernel's UVC driver will be patched against CVE-2019-2101, another information disclosure bug that allows a local app to bypass system safeguards and view data from other applications.
The nine Qualcomm fixes are divided into two categories. For open source components, four fixes will be handed down. Those include CVE-2019-2269, a critical flaw in WLAN Host stemming from a buffer overflow, and CVE-2019-2287, a critical flaw in a video codec. Two other bugs, CVE-2019-2260 in Android kernel and CVE-2019-2292 in WLAN Host, were also patched.
Five other fixes were applied to Qualcomm's closed-source components, and as such were not given much explanation. They include two vulnerabilities (CVE-2018-13924 and CVE-2018-13927) classified as critical, and three others (CVE-2018-13896, CVE-2019-2243, CVE-2019-2261) rated as high.
Admins may want to consider the Android patches a warm-up for what is to come next week. June 11th will mark Patch Tuesday, when Microsoft, Adobe, and SAP are all slated to deliver their monthly security updates. ®
Biting the hand that feeds IT
