Google has released fixes for three critical remote code execution bugs in the media framework of its Android operating system. These flaws could allow a remote attacker to execute arbitrary code.
The flaws are part of Google’s July Android Security Bulletin, which included fixes for 12 critical and high-severity vulnerabilities. For its part, Qualcomm, whose chips are used in Android devices, also patched 21 vulnerabilities, according to the bulletin.
“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” according to Android’s Monday security bulletin.
These three critical flaws (CVE-2019-2106, CVE-2019-2107, CVE-2019-2109) exist in Android’s Media framework. This framework includes support for playing variety of common media types, so that users can easily utilize audio, video and images.
The flaws “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process” according to Google.
Another critical vulnerability (CVE-2019-2111) also exists in the Android operating system. The critical remote code execution flaw could allow a remote attacker using a specially crafted file to execute arbitrary code, according to the advisory.
Overall, the operating system had six other high-severity vulnerabilities, including four information disclosure flaws (CVE-2019-2116, CVE-2019-2117, CVE-2019-2118, CVE-2019-2119) and two elevation of privilege flaws (CVE-2019-2112, CVE-2019-2113).
Also patched was a high severity information disclosure flaw (CVE-2019-2104) in the Android framework, and a high-severity remote code execution vulnerability (CVE-2019-2105) in the Android library.
Qualcomm Patches
Google also patched 21 CVEs related to Qualcomm components, which are used in Android devices. Included are a slew of vulnerabilities impacting various Qualcomm components, including kernel, audio and closed-source components. These include five critical severity vulnerabilities and 16 high-severity flaws.
Google said there are no reports of the vulnerabilities being actively exploited.
Manufacturer Updates
Manufacturers of Android devices push out their own patches to address the July updates in tandem with or after the Google Security Bulletin.
LG issued a security update addressing patches released by Google, including all critical flaws. “LG recommends all users update their devices to the latest SW,” according to the release. “All SW updates include all the available security patches at the moment of release.”
Samsung said in a security alert it is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process – including patches from Google.
In an online statement, Nokia said: “[Nokia owner] HMD Global is delivering the latest Security Patches to your Android smartphone as quickly as possible. However, there are several factors which may affect the date you actually receive an update. These factors include device model, region, location, operator approvals, and Google’s Security Patch Monthly Release announcement. Security Patches are also sometimes included with Maintenance Releases.”
