Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android’s September 2019 Patches Fix Nearly 50 Vulnerabilities

Google this week released a new set of security patches for the Android platform, to address nearly 50 vulnerabilities in multiple components, including two critical flaws impacting the Media framework.

Google this week released a new set of security patches for the Android platform, to address nearly 50 vulnerabilities in multiple components, including two critical flaws impacting the Media framework.

Fixed as part of the 2019-09-01 security patch level, both of these security bugs could allow attackers to remotely execute code on vulnerable systems. Tracked as CVE-2019-2176, the first of them impacts Android 8.0, 8.1 and 9, while the second, CVE-2019-2108, affects Android 10.

To exploit the most severe of these critical vulnerabilities, a remote attacker would need a specially crafted file. Successful exploitation could result in arbitrary code execution within the context of a privileged process, Google says.

“These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Center for Internet Security explains in an advisory.

Google addressed 11 other vulnerabilities as part of the 2019-09-01 security patch level, all of which were rated High severity.

Five of these impact Framework (4 elevation of privilege and 1 information disclosure), while the remaining six were found in System (1 remote code execution, 2 elevation of privilege, and 3 information disclosure).

Fixes for 36 other bugs were included in the second part of Android’s September 2019 security update. These impact kernel components (2 elevation of privilege, High severity), NVIDIA components (2 elevation of privilege and 1 information disclosure, High severity), Qualcomm components (17 High severity bugs), and Qualcomm closed-source components (2 Critical and 12 High severity issues).

In addition to these security patches, Google released fixes for more than 100 vulnerabilities for supported Google devices that were updated to Android 10.

These impact Broadcom components (1 elevation of privilege, Moderate severity), LG components (1 elevation of privilege, 2 information disclosure, all Moderate severity), kernel components (1 elevation of privilege and 1 information disclosure, High severity; and 28 elevation of privilege, 1 denial of service, 11 information disclosure, all Moderate severity), Qualcomm components (53 Medium severity), and Qualcomm closed-source components (4 Medium severity).

Related: Google, ARM Boost Android Security With Memory Tagging Extension

Related: Google Patches Critical Code Execution Bugs in Android Media Framework

Related: Android Enterprise Receives ISO 27001 Stamp

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.