Google Patches Critical Remote Code Execution Bugs in Android OS

The July Android Security bulletin tackles 44 vulnerabilities in all, with the bulk rated high in severity.

Google issued 44 patches for its Android operating system as part of its July Security Bulletin this week. Of those vulnerabilities, 11 were rated critical and the remainder were rated high in severity.

The vulnerabilities varied from OS framework to Media framework bugs, including system and kernel component-related issues. Google said the most severe of the vulnerabilities patched is a critical flaw in the Android OS Media framework. If exploited, a remote attacker could use a specially crafted file and execute arbitrary code within the context of a privileged process.

That bug was one of five remote code execution (RCE) vulnerabilities, four of which were rated critical in severity. RCE bugs were spread across the Android platform impacting the handset System, Media Framework and the overall OS Framework.

“The most severe [Framework] vulnerability (CVE-2018-9433) in this section could enable a remote attacker using a specially crafted PAC file to execute arbitrary code within the context of a privileged process,” wrote Google in its bulletin.

PAC files are text files that instruct a browser to forward traffic to a proxy server, instead of directly to the destination server, according to a Zscaler description of a PAC.

Over two dozen vulnerabilities were tied to bugs found in Qualcomm system components. The most serious of the Qualcomm flaws is a vulnerability (CVE-2018-5872) that could enable a nearby attacker, using a specially crafted file, to execute arbitrary code within the context of a privileged process.

The vulnerability is tied to the open-source WLAN component identified as “qca-wifi-host-cmn.” According to Qualcomm, “Currently there is no individual length check to each [Beacon Information element], which could probably result in buffer overead.” Beacon IEs contain all the information about WLAN network.

A separate July Security Bulletin was released for the Pixel and Nexus handsets by Google.Leading Android phone makers Samsung, LG and others also timed releases of their July security bulletins. Google releases patches as part of its Android Open Source Project on Monday. Vendors then roll out over-the-air patches to qualifying devices over the proceeding days and weeks.

Suggested articles