Google Patches Critical Flaws in Android’s System Component

Google this week released its November 2019 set of security patches for Android to address nearly 40 vulnerabilities affecting the platform, including critical flaws in the System component.

The first part of the November 2019 Android Security Bulletin, namely the 2019-11-01 security patch level, resolves a total of 17 flaws in Framework, Library, Media framework, and System.

The most severe of these vulnerabilities is a Critical issue in the System component, which “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.

A total of three Critical flaws were addressed in System, all of which could lead to remote code execution. The first of them (CVE-2019-2204) impacts Android 9, while the other two (CVE-2019-2205 and CVE-2019-2206) impact Android 8.0, 8.1, 9 and 10.

Google this month patched five other flaws in the System component, all rated High severity. Two of these are elevation of privilege bugs, while the other three are information disclosure issues.

A total of six High risk issues were fixed in Framework, namely four elevation of privilege vulnerabilities and two information disclosure bugs. Google also patched a High severity remote code execution flaw in Library and two High risk elevation of privilege issues in the Media framework.

Google also addressed 21 vulnerabilities as part of the 2019-11-05 security patch level, including two High severity Information disclosure flaws in Framework, one High risk elevation of privilege in System, and three High severity elevation of privilege and one Moderate risk information disclosure weaknesses in Kernel components.

Additionally, the 2019-11-05 security patch level includes fixes for three High severity flaws in Qualcomm components and for five Critical and six High risk security flaws in Qualcomm closed-source components. No security issues were addressed in Google Play system updates this month.

Pixel devices, however, received patches for a total of 20 vulnerabilities impacting Framework, LG components, Kernel components, Qualcomm components, and Qualcomm closed-source components, including elevation of privilege, remote code execution, and information disclosure bugs.

Affected components include Bootloader, Broadcom Firmware, Bluetooth, Crypto, EcoSystem, Audio, WLAN host, Boot, Services, Kernel, and Display.

Google also released multiple functional patches for all Pixel devices from Pixel 2 to Pixel 4 XL, to resolve issues with stability and improve audio, graphics, camera, and assistant features.

“For Google devices, security patch levels of 2019-11-05 or later address all issues in this bulletin and all issues in the November 2019 Android Security Bulletin,” Google notes in the Pixel Update Bulletin for November 2019.

Related: Researcher Publishes PoC Exploit for Recent Android Zero-Day

Related: Google Patches Remote Code Execution Bugs in Android 10

Related: Android’s September 2019 Patches Fix Nearly 50 Vulnerabilities