Google patched 10 critical remote code execution bugs in its August Android Security Bulletin issued Monday. It warned the most severe RCE vulnerabilities could enable a remote attacker, using a specially crafted file, to execute arbitrary code within the context of a privileged process.
The security bulletin includes over-the-air updates and firmware images for Google’s Pixel, Pixel XL and Pixel C phones along with its Nexus devices (5X, 6, 6P, 9 and Player). Wireless carriers are expected to also push out these OTA updates to leading handset models in the days and weeks ahead.
The bulk of the vulnerabilities (49 in all) were tied to Android’s problem-plagued Media Framework that includes MediaServer, AudioServer, CameraServer and more. The update also included a bevy of patches fixing elevation of privilege vulnerabilities ranked high and moderate affecting everything from the Android Kernel components and chipsets made by MediaTek, Broadcom and Qualcomm.
It was Broadcom last month that made headlines for the “Broadpwn” bug affecting millions of Android and iOS devices. This month, Google issued a patch to fix a moderate vulnerability tied to the chipset’s network driver that could enable a remote attacker, using a specially crafted file, to execute arbitrary code within the context of an unprivileged process.
It was MediaTek that had the most severe chipset bug (rated high) that was an EoP that impacted the GPU driver. This vulnerability enabled a local malicious application to execute arbitrary code within the context of a privileged process.
As part of its monthly Android Security Bulletin, Google acknowledged bug bounty hunters such as Zinuo Han of Chengdu Security Response Center, Qihoo 360 Technology and Ao Wang of Pangu Team that together found half of this month’s critical bugs.
Also acknowledged were Song of Alibaba Mobile Security Group, IceSword Lab, C0RE Team and Tesla’s Product Security Team.
By comparison, July’s Android Security Bulletin addressed 11 critical security flaws found the Android platform. Last August, Google patched more than three-dozen critical vulnerabilities in Qualcomm components alone that were embedded in the Android operating system, all of them allowing attackers to gain a foothold on devices to launch further attacks.
Over the past several years, Google has prioritized shrinking the Android attack surface. Those efforts have included focusing on containment of key aspects the Android system such as the Media Framework and the Android kernel. Google calls these efforts architectural separation and architectural decomposition and were the subject of a Black Hat presentation last month.