Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Patches Critical Flaws in Android’s System Component

Google this week released its November 2019 set of security patches for Android to address nearly 40 vulnerabilities affecting the platform, including critical flaws in the System component.

Google this week released its November 2019 set of security patches for Android to address nearly 40 vulnerabilities affecting the platform, including critical flaws in the System component.

The first part of the November 2019 Android Security Bulletin, namely the 2019-11-01 security patch level, resolves a total of 17 flaws in Framework, Library, Media framework, and System.

The most severe of these vulnerabilities is a Critical issue in the System component, which “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.

A total of three Critical flaws were addressed in System, all of which could lead to remote code execution. The first of them (CVE-2019-2204) impacts Android 9, while the other two (CVE-2019-2205 and CVE-2019-2206) impact Android 8.0, 8.1, 9 and 10.

Google this month patched five other flaws in the System component, all rated High severity. Two of these are elevation of privilege bugs, while the other three are information disclosure issues.

A total of six High risk issues were fixed in Framework, namely four elevation of privilege vulnerabilities and two information disclosure bugs. Google also patched a High severity remote code execution flaw in Library and two High risk elevation of privilege issues in the Media framework.

Google also addressed 21 vulnerabilities as part of the 2019-11-05 security patch level, including two High severity Information disclosure flaws in Framework, one High risk elevation of privilege in System, and three High severity elevation of privilege and one Moderate risk information disclosure weaknesses in Kernel components.

Additionally, the 2019-11-05 security patch level includes fixes for three High severity flaws in Qualcomm components and for five Critical and six High risk security flaws in Qualcomm closed-source components. No security issues were addressed in Google Play system updates this month.

Advertisement. Scroll to continue reading.

Pixel devices, however, received patches for a total of 20 vulnerabilities impacting Framework, LG components, Kernel components, Qualcomm components, and Qualcomm closed-source components, including elevation of privilege, remote code execution, and information disclosure bugs.

Affected components include Bootloader, Broadcom Firmware, Bluetooth, Crypto, EcoSystem, Audio, WLAN host, Boot, Services, Kernel, and Display.

Google also released multiple functional patches for all Pixel devices from Pixel 2 to Pixel 4 XL, to resolve issues with stability and improve audio, graphics, camera, and assistant features.

“For Google devices, security patch levels of 2019-11-05 or later address all issues in this bulletin and all issues in the November 2019 Android Security Bulletin,” Google notes in the Pixel Update Bulletin for November 2019.

Related: Researcher Publishes PoC Exploit for Recent Android Zero-Day

Related: Google Patches Remote Code Execution Bugs in Android 10

Related: Android’s September 2019 Patches Fix Nearly 50 Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.