Google has released two sets of updates for the Android operating system and fixed critical RCE vulnerabilities.
The patch sets, which arrived on November 1 and 5, 2019, contain 38 patches that fix bugs in the basic framework, kernel, libraries, and other parts of the OS. The developers also included in the November update code fixes for Qualcomm components provided by the chip manufacturer.Read also: Asian hack group Calypso attacks government agencies since 2016
As follows from the vendor’s bulletin, the three most critical errors in system components pose the greatest security risk. For security reasons, Google does not disclose the technical details of the vulnerabilities, but notes that all of them are related to the possibility of remote execution of third-party code.
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed”, — explained developers.
The update contains patches for 13 issues, which can lead to an escalation of privileges on the device. In the main Android framework, were fixed four bugs of this type, the system components and the kernel received three patches, and the media platform two. Another eight vulnerabilities are related to the possibility of disclosure of important data. One of them has an average threat level, the rest experts rate as dangerous.
According to Google, three Qualcomm patches relate to the graphics driver and software for working with Wi-Fi. Another 11 patches fix bugs in components with closed source code. Five vulnerabilities closed by the chip manufacturer are rated as critical, other bugs have a high level of threat.
The previous set of patches for Android was released in early October. In addition to patches for three dozen dangerous bugs, the update contained a fix for a critical 0-day vulnerability in the Binder component. The issue with CVE-2019-2215 ID allowed privilege escalation and root privileges on the target device. The operation of the bug did not imply interaction with the user, but required the installation of a malicious application.
