Google patched 11 critical vulnerabilities in its Android operating system this week, seven of which are remote code execution bugs. In total, 37 flaws were patched, with 26 rated as high severity.
The most severe of the bugs is a critical security vulnerability found in the Media Framework component of the Android OS, according to the Android Security Bulletin published on Monday. Google said that the flaw “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”
“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed,” Google wrote.
It added that there are no reports of the vulnerability being actively exploited. Google said an over-the-air update and firmware images for Google devices are available for its Pixel and Nexus devices and third-party carriers will also deliver updates to vendor handsets.
Ten system vulnerabilities were identified with the most severe being a critical remote code execution bug that could “enable a proximate attacker to execute arbitrary code within the context of a privileged process,” according to the security bulletin.
Part of Google’s bulletin also included patches for bugs in NVIDIA and Qualcomm components used in Android handsets. Two information disclosure bugs, rated high severity, were patched by NVIDIA and 11 wireless network driver and WLAN Qualcomm flaws were also fixed in its flagship Pixel and Nexus phones.
Along with Google patches, Samsung Mobile also announced five patches for Samsung-specific vulnerabilities. The most serious was rated high in severity and is described by Samsung as an “Accessing the Clipboard content using Edge panel” bug.
“The clipboard edge allows attackers to access device information without user authentication for a short period after locking screen once. The patch protects contents of clipboard using a screen lock type when turning the Clipboard Edge on,” according to Samsung’s bulletin.
A bug rated low by Samsung “allows NFC (Near Field Communication) activation to bypass lockscreen when a magnet is brought close to a specific point of device,” according to the company. The patch disables NFC activation in such event, Samsung said.