Google released December patches for Android, which fixed dozens of vulnerabilities

Google released the December patches for Android and published another newsletter listing vulnerabilities fixed in the mobile OS. A dozen of them are relevant for all Android devices, regardless of manufacturer.

The most serious problem, according to developers, is associated with an error in the code of the Framework component.

“The most severe of these issues is a critical security vulnerability in the Framework component that could enable a remote attacker using a specially crafted message to cause a permanent denial of service. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed”, — reports Google bulletin.

Two vulnerabilities in the Media Framework make it possible remotely execution of a malicious code with high privileges. Bugs are recognized as critical for Android versions 8.0, 8.1 and 9. Installing Android 10 in both cases can reduce the threat level to moderate.

Read also: Two cybercriminal groups attack hotels around the world

Three critical vulnerabilities are also patched in Qualcomm Technologies’ closed-source components.

According to the description on the company’s website, all of them are caused by buffer overflow errors.

“Qualcomm chipset firmware identified another 19 problems; their degree of threat is slightly lower, but still high. It’s noteworthy that 12 dangerous bugs are tied to the WLAN module and allow attacks on Android devices via Wi-Fi”, – reported in the bulletin.

At the same time, was released an update for Pixel, which fixes all new Android vulnerabilities, as well as eight security issues that are unique to devices manufactured by Google. Two additional bugs are present in the system components of Android 10, the rest are in the kernel components.

The problem in the System that leads to the disclosure of confidential information is rated as critical, the possibility of privilege escalation as a high degree of danger. Kernel-level bugs are recognized as moderately dangerous.

According to Google, its partners were warned of new Android problems at least a month before the release of the December security bulletin. The source codes for the patches usually become available in the repository of the AOSP (Android Open Source Project) project two days after the publication of the list of fixed vulnerabilities.
Exit mobile version