Google this week released a new set of security patches for the Android platform, to address nearly 50 vulnerabilities in multiple components, including two critical flaws impacting the Media framework.
Fixed as part of the 2019-09-01 security patch level, both of these security bugs could allow attackers to remotely execute code on vulnerable systems. Tracked as CVE-2019-2176, the first of them impacts Android 8.0, 8.1 and 9, while the second, CVE-2019-2108, affects Android 10.
To exploit the most severe of these critical vulnerabilities, a remote attacker would need a specially crafted file. Successful exploitation could result in arbitrary code execution within the context of a privileged process, Google says.
“These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Center for Internet Security explains in an advisory.
Google addressed 11 other vulnerabilities as part of the 2019-09-01 security patch level, all of which were rated High severity.
Five of these impact Framework (4 elevation of privilege and 1 information disclosure), while the remaining six were found in System (1 remote code execution, 2 elevation of privilege, and 3 information disclosure).
Fixes for 36 other bugs were included in the second part of Android’s September 2019 security update. These impact kernel components (2 elevation of privilege, High severity), NVIDIA components (2 elevation of privilege and 1 information disclosure, High severity), Qualcomm components (17 High severity bugs), and Qualcomm closed-source components (2 Critical and 12 High severity issues).
In addition to these security patches, Google released fixes for more than 100 vulnerabilities for supported Google devices that were updated to Android 10.
These impact Broadcom components (1 elevation of privilege, Moderate severity), LG components (1 elevation of privilege, 2 information disclosure, all Moderate severity), kernel components (1 elevation of privilege and 1 information disclosure, High severity; and 28 elevation of privilege, 1 denial of service, 11 information disclosure, all Moderate severity), Qualcomm components (53 Medium severity), and Qualcomm closed-source components (4 Medium severity).
Related: Google, ARM Boost Android Security With Memory Tagging Extension
Related: Google Patches Critical Code Execution Bugs in Android Media Framework