Google has started rolling out this month’s security updates for its mobile operating system platform to address a total of 33 new security vulnerabilities affecting Android devices, 9 of which have been rated critical in severity.
The vulnerabilities affect various Android components, including the Android operating system, framework, library, media framework, as well as Qualcomm components, including closed-source components.
Three of the critical vulnerabilities patched this month reside in Android’s Media framework, the most severe of which could allow a remote attacker to execute arbitrary code on a targeted device, within the context of a privileged process, by convincing users into opening a specially crafted malicious file.
“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed,” the company says.
Out of the remaining seven critical vulnerabilities, one affects Android Library, one affects the System, two resides in Qualcomm components (one in DSP_Services and one in Kernel), and three resides in Qualcomm closed-source components.
Besides this, a high-severity flaw (CVE-2019-2104) in the Android Framework could allow an installed malicious app to bypass user interaction requirements in an attempt to gain access to additional permissions.
Six high-severity vulnerabilities addressed in Qualcomm components resides in WLAN Host (CVE-2019-2276, CVE-2019-2307), WLAN Driver (CVE-2019-2305), HLOS (CVE-2019-2278), and Audio (CVE-2019-2326, CVE-2019-2328).
According to the Android security advisory, none of the flaws addressed this month were publicly disclosed or found being exploited in the wild.
images from Hacker News