Google has fixed three critical remote code execution bugs in its Android operating system, which could allow a remote attacker to hijack a vulnerable system simply by sending a malicious file.
The flaws are part of Google’s April Android Security Bulletin, which includes patches for three critical and 12 high-severity Android bugs. For its part Qualcomm, whose chips are used in Android devices, it patched seven critical vulnerabilities and nearly 70 high-severity bugs, according to the bulletin.
“The most severe of the Android OS issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” said Google in its Monday advisory.
The Google Media framework is core to the Android OS and handles media content and android.media APIs that interact with device multimedia hardware.
The two critical remote code execution vulnerabilities, CVE-2019-2027 and CVE-2019-2028, exist in Media framework and allow remote code execution. According to Google, a remote attacker could use a specially crafted file to execute arbitrary code onto victims’ systems (within the context of a privileged process).
Technical details of the two critical vulnerabilities and other CVEs in the April bulletin are not available at this time.
Google also fixed a high-severity elevation of privilege flaw (CVE-2019-2026) in its operating system framework, which “could enable a local attacker to gain additional permissions bypass with user interaction.”
Eight high-severity flaws exist in Google’s Android 7.0 and later, which “could enable a local malicious application to execute arbitrary code within the context of a privileged process.”
These high-severity vulnerabilities consist of five elevation of privilege flaws (CVE-2019-2030, CVE-2019-2031, CVE-2019-2033, CVE-2019-2034, CVE-2019-2035) and three information disclosure glitches (CVE-2019-2038, CVE-2019-2039, CVE-2019-2040).
The 12 critical and high-severity flaws exist as part of Google’s first security patch level, meaning that they apply to everyone and need to be fixed right away.
Google also released vulnerabilities as part of a second “patch level,” which includes 78 CVEs related to Qualcomm. Included are a slew of vulnerabilities impacting Qualcomm components (specifically WLAN host, the kernel, and closed-source components), including a critical flaw (CVE-2018-11940) in WLAN host and six critical glitches in closed-source Qualcomm components.
Google said there are no reports of the vulnerabilities being actively exploited.
Manufacturers of Android devices push out their own patches to address the April updates in tandem with or after the Google Security Bulletin.
Samsung said in a security alert that it will release a maintenance release for major flagship models that include the critical (CVE-2019-2027, CVE-2019-2028, CVE-2019-2029) flaws and varying high-severity flaws in the April Android update.
Google Pixel phones meanwhile have yet to release a corresponding bulletin, saying on their update page that the fixes are coming soon.