Largest Security Patch Released for Android, Fixing Critical Flaws – Install ASAP
Google is rolling out its largest security patch for Android, fixing over a hundred vulnerabilities in the operating system, including patches for the infamous Qualcomm-related flaws. The search giant has split this month's security update in two parts: one fixes 33 flaws that affect all of Android devices, and another brings patches to 75 driver- and device-specific vulnerabilities.
This is the first time we are seeing Google dividing the monthly update in two parts, and that has a good reason behind it. In the past weeks, we have seen a number of device and driver specific vulnerabilities, affecting some devices, and the two-part Android security release is designed to ensure speedy delivery across all devices. "This bulletin has two security patch level strings in order to provide Android partners with the flexibility to move more quickly to fix a subset of vulnerabilities that are similar across all Android devices," Google said in its July Android security bulletin.
The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.
A Huge number of flaws fixed in the July Android security patch
The July update brings fixes for a total number of 108 vulnerabilities, fixing bugs in the Qualcomm Secure Execution Environment (QSEE) that could be exploited to bypass Android's Full Device Encryption (FDE) among others. The latest security patch from Google also brings fixes for bugs in:
- Qualcomm GPU, Bluetooth, camera, USB, and WiFi
- 14 vulnerabilities were resolved in Mediasever, including 7 that were rated critical, including:
- Denial of service vulnerability
- Information disclosure vulnerability
- Elevation of privilege vulnerability
- Remote code execution vulnerability in OpenSSL and BoringSSL
- Fixes for MediaTek drivers:
- Elevation of privilege vulnerability in MediaTek Wi-Fi driver
- Elevation of privilege vulnerability in MediaTek drivers
- Elevation of privilege vulnerability in MediaTek power driver
- Elevation of privilege vulnerability in MediaTek hardware sensor driver, video driver, GPS driver, power management driver, display driver, video codec driver
- NVIDIA driver fixes:
- Elevation of privilege vulnerability in NVIDIA video driver, camera driver
- Information disclosure vulnerability in NVIDIA camera driver
From critical privilege escalation flaws to some vulnerabilities being rated of high and medium severity, there is a long list of fixes that have arrived following the Independence weekend. Google has said that there is no reported active exploitation or abuse of these newly reported flaws.
This is a summary of the mitigations provided by the Android security platform and service protections such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.
Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
July's Android security updates are already available for Nexus devices, and we hope to see latest Samsung devices to receive the security fixes very soon too. BlackBerry has also promised that the patch will shortly arrive on devices. Users are strongly advised to install the Android security updates as soon as they land on your device.