Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android’s September 2019 Patches Fix Nearly 50 Vulnerabilities

Google this week released a new set of security patches for the Android platform, to address nearly 50 vulnerabilities in multiple components, including two critical flaws impacting the Media framework.

Google this week released a new set of security patches for the Android platform, to address nearly 50 vulnerabilities in multiple components, including two critical flaws impacting the Media framework.

Fixed as part of the 2019-09-01 security patch level, both of these security bugs could allow attackers to remotely execute code on vulnerable systems. Tracked as CVE-2019-2176, the first of them impacts Android 8.0, 8.1 and 9, while the second, CVE-2019-2108, affects Android 10.

To exploit the most severe of these critical vulnerabilities, a remote attacker would need a specially crafted file. Successful exploitation could result in arbitrary code execution within the context of a privileged process, Google says.

“These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Center for Internet Security explains in an advisory.

Google addressed 11 other vulnerabilities as part of the 2019-09-01 security patch level, all of which were rated High severity.

Five of these impact Framework (4 elevation of privilege and 1 information disclosure), while the remaining six were found in System (1 remote code execution, 2 elevation of privilege, and 3 information disclosure).

Fixes for 36 other bugs were included in the second part of Android’s September 2019 security update. These impact kernel components (2 elevation of privilege, High severity), NVIDIA components (2 elevation of privilege and 1 information disclosure, High severity), Qualcomm components (17 High severity bugs), and Qualcomm closed-source components (2 Critical and 12 High severity issues).

In addition to these security patches, Google released fixes for more than 100 vulnerabilities for supported Google devices that were updated to Android 10.

Advertisement. Scroll to continue reading.

These impact Broadcom components (1 elevation of privilege, Moderate severity), LG components (1 elevation of privilege, 2 information disclosure, all Moderate severity), kernel components (1 elevation of privilege and 1 information disclosure, High severity; and 28 elevation of privilege, 1 denial of service, 11 information disclosure, all Moderate severity), Qualcomm components (53 Medium severity), and Qualcomm closed-source components (4 Medium severity).

Related: Google, ARM Boost Android Security With Memory Tagging Extension

Related: Google Patches Critical Code Execution Bugs in Android Media Framework

Related: Android Enterprise Receives ISO 27001 Stamp

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.