Android Security Bulletin September 2018: What you need to know


X Scalper

Image: Jack Wallen

Autumn is here and that means a new Android Security Bulletin. This month seems like a re-run in preparation for the fall lineup that promises something very special to come. Let’s talk about the vulnerabilities found on the latest Android Security patches.

Before we dive into what’s included with this month’s bulletin, it’s always good to know what security release is installed on your device. To no surprise, my daily driver, an Essential PH-1, is running the a security patch that is up to date (September 5, 2018).

To find out what patch level you are running, open Settings and go to About Phone. If you’re using Android Pie, that location changed to Settings | Security & Location | Security updated. Scroll down until you see Android security patch level (Figure A).

SEE: Information security policy (Tech Pro Research)

Figure A

Figure A

The Essential PH-1 is almost always up to date.

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE—Remote code execution
  • EoP—Elevation of privilege
  • ID—Information disclosure
  • DoS—Denial of service

And now, onto the issues.

09/01/2018 Security Patch Level

Critical Issues

There were only three vulnerabilities marked Critical for 09/01/2018. Each of these issues are marked as such because they could enable a local attacker to bypass user interaction requirements in order to gain access to additional permissions. These issues are (listed by CVE, Reference, and Type):

High Issues

There were a number of vulnerabilities marked High. The first two are found in the Android Runtime and could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of an application that uses this particular library. These issues are (listed by CVE, Reference, and Type):

The next three vulnerabilities marked High are found in the Framework. These issues could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of an unprivileged process. These issues are (listed by CVE, Reference, and Type):

Next is a single High vulnerability found in the Library. This issue could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of an application that uses this particular library. The issue is (listed by CVE, Reference, and Type):

Another single High issue is associated with the Media Framework. This issue could enable a locally installed, malicious application to bypass user interaction requirements to gain additional permissions. The issue is (listed by CVE, Reference, and Type):

The System was hit with 10 issues marked High. These issues could enable a local attacker to bypass user interaction requirements to gain access to additional permissions. These issues are (listed by CVE, Reference, and Type):

09/05/2018 Security Patch Level

Critical Issues

The only Critical issues were related to Qualcomm closed source components. No details about these issues were released (outside of the Qualcomm APSS Security Bulletin). The vulnerabilities are (listed by CVE and Reference):

  • CVE-2016-10394 A-68326803
  • CVE-2017-18314 A-62213176
  • CVE-2017-18311 A-73539234
  • CVE-2018-11950 A-72950814
  • CVE-2018-5866 A-77484228
  • CVE-2018-11824 A-111090697

High Issues

The first High vulnerability can be found in the Framework. This issue could enable a locally-installed, malicious application to bypass operating system protections in place to isolate application data from other applications. The issue is (listed by CVE, Reference, and Type):

The next High issue affects the Kernel. This vulnerability could enable a remote attacker to access data that is normally only accessible to locally installed applications. The issue is (listed by CVE, Reference, and Type):

  • CVE-2017-5754 A-69856074 ID

Next we have a few High issues that affect Qualcomm open source components. These issues are described in detail in the Qualcomm APSS security bulletin. The issues are (listed by CVE, Reference, Qualcomm Reference, and Component):

  • CVE-2018-11816 A-63527106 QC-CR#2119840 Video
  • CVE-2018-11261 A-64340487 QC-CR#2119840 Video
  • CVE-2018-11836 A-111128620 QC-CR#2214158 WLAN HOST
  • CVE-2018-11842 A-111124974 QC-CR#2216741 WLAN HOST
  • CVE-2018-11898 A-111128799 QC-CR#2233036 WLAN HOST

Finally, Qualcomm closed source components were hit with a large number of High vulnerabilities. No details about these issues have been released (outside of the Qualcomm APSS Security Bulletin). The vulnerabilities are (listed by CVE and Reference) are:

  • CVE-2016-10408 A-68326811
  • CVE-2017-18313 A-78240387
  • CVE-2017-18312 A-78239234
  • CVE-2017-18124 A-68326819
  • CVE-2018-3588 A-71501117
  • CVE-2018-11951 A-72950958
  • CVE-2018-11952 A-74236425
  • CVE-2018-5871 A-77484229
  • CVE-2018-5914 A-79419793
  • CVE-2018-11288 A-109677940
  • CVE-2018-11285 A-109677982
  • CVE-2018-11290 A-109677964
  • CVE-2018-11292 A-109678202
  • CVE-2018-11287 A-109678380
  • CVE-2018-11846 A-111091377
  • CVE-2018-11855 A-111090533
  • CVE-2018-11857 A-111093202
  • CVE-2018-11858 A-111090698
  • CVE-2018-11866 A-111093021
  • CVE-2018-11865 A-111093167

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also see




Be the first to comment

Leave a Reply

Your email address will not be published.


*