Google released to all users and partners its November security bulletin for the Android operating system, with fixes for critical remote code execution (RCE) and privilege escalation vulnerabilities.
In October, the Alphabet company slipped a pre-release version of this batch of updates to at least one Google Pixel user. The over-the-air (OTA) update was a confidential build intended for internal use.
Until phone makers and mobile network operators push the latest Android patches to users' endpoints, one critical RCE identified as CVE-2018-9527 affects versions of the operating system 7.0 (Nougat) through 9 (Pie).
Another RCE classified as critical is CVE-2018-9531 and it affects Android Nougat only. Both flaws are present in the media framework of the OS and could allow an attacker to run arbitrary code on the system in the context of a privileged process.
Other vulnerabilities with the same severity score are two privilege escalation bugs identified as CVE-2018-9536 and CVE-2018-9537. They impact Android Nougat.
A number of six security glitches that could be exploited to leak information from the Android system have received a high severity rating.
They are remotely exploitable and could reveal data that is normally accessible to locally installed applications according to their permissions manifest.
Half of these flaws impact multiple Android versions (Nougat through Pie) and the other half affect only the latest revision of the mobile operating system.
Google also lists 14 security problems uncovered in Qualcomm components. More details are available in Qualcomm's security bulletin for November; three of them being rated with critical severity:
CVE-2017-18317 affects the Trusted Execution Environment (TEE) and allows bypassing modem-related restrictions (SIM lock, SIM kill), the report informs.
CVE-2018-5912 is a buffer overflow in the video component.
CVE-2018-11264 impacts the biometrics component in multiple Qualcomm chipsets. It is a possible buffer overflow in the fingerprint code.
Google announces in this Android security bulletin that it marked as experimental the Libxaac library for media compression and decoding and that it is no longer in included in production Android builds.
The reason behind this decision is the discovery of no less than 18 security issues in the library. The library will be removed from devices that still have it as soon as they run the latest Android security update.