The most dire vulnerability targets the Android framework and could allow an adversary to execute arbitrary code on targeted devices.
Google patched six critical remote code execution flaws in its Android operating system as part of its October Android Security Bulletin. Four of those remote code execution flaws are tied to Android’s Media framework and impact a wide range of Android devices including Google’s Pixel and Nexus phones along with handsets made by Samsung, Huawei and LG.
“The most severe of these issues is a critical security vulnerability in Framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” according to the bulletin released Monday. Google’s Framework simply refers to the entire component stack that make up the Android OS, which includes native libraries.
In all, Google reported 26 vulnerabilities with eight rated critical, 17 rated high and one rated moderate. Over-the-air updates for Google’s Pixel and Nexus phones are available now, with patches expected from other vendors in the days or weeks ahead.
According to Samsung’s Android security bulletin, also released Monday, are patches for four additional critical vulnerabilities in its handsets that include Galaxy S, Galaxy Note and Galaxy A series phones. Those vulnerabilities (CVE-2016-10394, CVE-2018-11950, CVE-2018-5866, CVE-2018-11824) were leftovers from Google’s September Android Security Bulletin.
The vulnerabilities are tied to the Android OS Trusted Execution Environment, “a secure area of a main processor. It guarantees code and data loaded inside to be protected with respect to confidentiality and integrity,” according to an Android Open Source Project description. Credited for finding the vulnerabilities (CVE-2018-11824, CVE-2018-5866, CVE-2018-5914) is Twitter user and bounty hunter @derrekr6.
Also included in Samsung’s October alert are three critical patches tied to Adobe vulnerabilities announced Monday. The CVEs (CVE-2018-12853, CVE-2018-12852, CVE-2018-12881) are each described as “Arbitrary memory write with the Trustlet” bugs. Trustlets are small applications that run inside the Android OS Trusted Execution Environment.
Handset maker LG issued updates for 14 critical vulnerabilities, six more than Google. Each of the six vulnerabilities (CVE-2016-10394, CVE-2017-18314, CVE-2017-18311, CVE-2018-11950, CVE-2018-5866, CVE-2018-11824) patched by LG are for Qualcomm “closed-source components” and were part of Google’s September Android Security Bulletin. LG handsets impacted include; G series (G5, G6), V series (V10, V20, V30) , Q Series (Q6, Q8) , X Series (X300, X400, X500, X cam).
“LG will determine if updates are released monthly, quarterly, or irregularly, depending on regions and carriers,” the vendor stated in its LG Security Bulletin.
As for the vulnerabilities announced on Monday, Google said there are no reports of active exploitation or abuse of the newly reported issues. – CT Bureau