Too bad, so sad, exploit devs: Google patches possibly several million dollars' worth of security flaws in Android

Except one – a 'your phone is now my phone' bug reported months ago and still not fixed

Google this week emitted the September edition of its monthly Android security updates – and has left at least one known vulnerability unpatched. Also, in case you missed it, the web giant started rolling out Android 10 a few days ago.

The September 2019 bundle of security fixes will be pushed out automatically to Google-branded devices, while those with other Android gear will be fed the fixes by their device manufacturer or mobile carrier. Some of the holes can be patched remotely by the ad giant via its Google Play Services regardless of the maker of the underlying hardware. In summary, check for system software updates.

As usual, the patches are split into two halves. One half a treasure trove of patches for holes in all supported devices, and the other half a bag of hardware-specific fixes. Among the most severe bugs in the first half are three remote-code-execution flaws. All Android versions from 7.1.1 to Android 10 are vulnerable to at least one of the three. Bear in mind, Google only supports Android 7 and higher, so if you're using something older, your gear is probably vulnerable with no hope of a patch (unless you want to go fix it yourself from the source code.)

Two of the platform-agnostic vulnerabilities (CVE-2019-2176 and CVE-2019-2108) are present in the Media Framework component of Android, and are rated as critical, as they would allow an attacker to get code execution by simply feeding the target a specially-crafted media file. The third code execution flaw (CVE-2019-2177) was in an unspecified part of the Android System software and is exploited through a "specially crafted transmission" according to Google.

android_money_648

Fancy buying a compact and bijou cardboard box home in a San Francisco alley? This $2.5m Android bounty will get you nearly there

READ MORE

Of the remaining 10 CVE-listed hardware-agnostic bugs patched, there are six address elevation-of-privilege flaws while the other four patch information disclosure vulnerabilities. These elevation-of-privilege holes can be exploited by malicious apps installed on a gadget to gain full control of the device. As with all these bugs, Android has various defense mechanisms designed to thwart exploitation of its programming blunders, though these can be bypassed by skilled hackers.

As for the hardware-specific security fixes, there are a total of 36 bugs patched. Most of those, 31 to be exact, were for flaws in Qualcomm's open- and closed-source kernel-level code.

Google does not give specifics on the Qualcomm bugs, although two of the flaws (CVE-2019-2258 and CVE-2019-10533) were classified as critical, a designation usually reserved for remote code execution flaws.

The other fixes cover two elevation-of-privilege flaws (CVE-2018-20669 and CVE-2019-2181) in the kernel as well as elevation-of-privilege (CVE-2018-6240) and information-disclosure (CVE-2017-5715) vulnerabilities in Nvidia driver code.

Not patched this month was a somewhat minor elevation-of-privilege vulnerability in Android discovered and reported to Google in March by Lance Jiang and Moony Li on the Trend Micro ZDI team. Malicious applications can exploit this weakness to fully hijack a device.

"The specific flaw exists within the v4l2 driver. The issue results from the lack of validating the existence of an object prior to performing operations on the object," Team ZDI said. "An attacker can leverage this to escalate privileges in the context of the kernel."

The duo claimed that, despite having made Google aware of the double-free privilege escalation months ago, the Chocolate Factory has yet to say when it will be able to put out any sort of fix for the bug. Google did not respond to a request for comment on the matter. ®

Sponsored: How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019