Google this week released a new set of security patches for the Android platform, to address nearly 50 vulnerabilities in multiple components, including two critical flaws impacting the Media framework.
Fixed as part of the 2019-09-01 security patch level, both of these security bugs could allow attackers to remotely execute code on vulnerable systems. Tracked as CVE-2019-2176, the first of them impacts Android 8.0, 8.1 and 9, while the second, CVE-2019-2108, affects Android 10.
To exploit the most severe of these critical vulnerabilities, a remote attacker would need a specially crafted file. Successful exploitation could result in arbitrary code execution within the context of a privileged process, Google says.
“These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Center for Internet Security explains in an advisory.
Google addressed 11 other vulnerabilities as part of the 2019-09-01 security patch level, all of which were rated High severity.
Five of these impact Framework (4 elevation of privilege and 1 information disclosure), while the remaining six were found in System (1 remote code execution, 2 elevation of privilege, and 3 information disclosure).
Fixes for 36 other bugs were included in the second part of Android’s September 2019 security update. These impact kernel components (2 elevation of privilege, High severity), NVIDIA components (2 elevation of privilege and 1 information disclosure, High severity), Qualcomm components (17 High severity bugs), and Qualcomm closed-source components (2 Critical and 12 High severity issues).
In addition to these security patches, Google released fixes for more than 100 vulnerabilities for supported Google devices that were updated to Android 10.
These impact Broadcom components (1 elevation of privilege, Moderate severity), LG components (1 elevation of privilege, 2 information disclosure, all Moderate severity), kernel components (1 elevation of privilege and 1 information disclosure, High severity; and 28 elevation of privilege, 1 denial of service, 11 information disclosure, all Moderate severity), Qualcomm components (53 Medium severity), and Qualcomm closed-source components (4 Medium severity).
Related: Google, ARM Boost Android Security With Memory Tagging Extension
Related: Google Patches Critical Code Execution Bugs in Android Media Framework
Related: Android Enterprise Receives ISO 27001 Stamp

More from Ionut Arghire
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Apple Unveils Upcoming Privacy and Security Features
- Dozens of Malicious Extensions Found in Chrome Web Store
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
- Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
Latest News
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Zoom Expands Privacy Options for European Customers
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Apple Unveils Upcoming Privacy and Security Features
