Google patched four remote code-execution (RCE) flaws as part of its May Android Security Bulletin.
Three of the critical bugs are tied to the System portion of the Android platform architecture, responsible for core apps such as the dialer, email and camera.
A fourth critical RCE bug opens the door for an attack on the Android operating system’s Media framework.
Other details of the patches haven’t been disclosed, but in all, the four patches (CVE-2019-2045, CVE-2019-2046, CVE-2019-2047, CVE-2019-2044) will be sent over the air to Google Pixel handsets over the next few days, compatible for devices running OS versions 7, 8 and 9.
However, other devices will remain vulnerable temporarily: Patches for Android handsets made by manufacturers such as Samsung and LG should be received over the next few weeks.
Earlier this week Google also released patches for 10 bugs rated high, and one ranked moderate; and it issued patches for flaws identified in third-party components from vendors such as NVIDIA, Broadcom and Qualcomm, bringing the total number of fixed CVEs to 30.
Google Retools Patch Deployment
On Tuesday, Google said its next-generation mobile operating system, Android Q, revamps the way it delivers direct over-the-air updates.
Security updates have often been a pain point for Android devices; because the operating system is utilized by so many device manufacturers, it takes time for various manufacturers to push out updates. Those updates are delivered over-the-air, but have so far been limited to monthly updates. That’s about to change with Google’s efforts to streamline the patching process by creating new update-friendly modules in its OS, capable of receiving direct over-the-air patches whenever needed.
LG and Samsung Play Patch Catchup
For its part, LG said that users will receive patches for patches for 89 CVEs as part of the company’s May patching schedule. Twelve of the CVEs are rated critical and include those patched by Google this month. However, eight critical CVEs (CVE-2019-2029, CVE-2018-11940, CVE-2018-11976, CVE-2018-12004, CVE-2018-13886, CVE-2018-13887, CVE-2018-11271, CVE-2019-2250) appear to be unique to LG’s security bulletin.
Similarly, Samsung will push out seven critical patches that include an additional three CVEs (CVE-2018-13886, CVE-2018-11271, CVE-2018-11940). In all, Samsung patched 76 bugs, compared to the 30 CVEs that Google patched that include the third-party components.
Google Thanks Researchers
As part of its May Security Bulletin, Google also thanked researchers behind the bugs discovered.
Chong Wang (weibo.com/csddl) of Chengdu Security Response Center, Qihoo 360 Technology Co. Ltd. – CVE-2019-2053
Cusas of L.O. Team – CVE-2019-2044
derrek (@derrekr6) – CVE-2018-6243, CVE-2018-13898, CVE-2018-13908
Evgenii Stepanov of Google – CVE-2019-2049
Jann Horn of Google Project Zero – CVE-2019-2054
Ji Zhang (@opc0nt7) and Mingjian Zhou (周明建) (@Mingjian_Zhou) of C0RE Team – CVE-2019-2050
Joshua Steiner – CVE-2019-2043
Pengfei Ding (丁鹏飞) of Huawei – CVE-2018-11955
Wei Liu (刘炜) and Yongke Wang (王永科) (@Rudykewang) of Tencent Security Xuanwu Lab (腾讯安全玄武实验室) – CVE-2019-2045, CVE-2019-2046, CVE-2019-2047, CVE-2019-2051, CVE-2019-2052
Wen Guanxing of Pangu LAB – CVE-2018-13910
Xiling Gong of Tencent Blade Team – CVE-2018-5912, CVE-2019-2256