Image: Jack Wallen
The new yr is already greater than a month previous. What does that imply for Android? Another yr filled with vulnerabilities and patches. This month there is a good combination of points marked Critical and High, and nothing ought to come as a shock (as we have grown used to sure parts being affected). Nonetheless, anybody with a thoughts for safety will need to know what’s taking place to the Android platform—and the safety bulletin du jour.
Before we dive into what’s included with this month’s Android Security Bulletin, it is at all times good to know what safety launch is put in in your gadget. To my shock, my each day driver, a Pixel 3, is operating a safety patch that’s one month outdated (Jane 5, 2018).SEE: BYOD (bring-your-own-device) coverage template obtain (Tech Pro Research)To discover out what patch degree you might be operating, open Settings and go to About Phone. If you are utilizing Android Pie, that location modified to Settings | Security & Location | Security up to date. Scroll down and faucet the model of Android discovered in your gadget. The ensuing window (Figure A) will reveal your safety patch degree.
Figure AThe Pixel gadgets needs to be as updated as attainable.Terminology
You will discover various kinds of vulnerabilities listed. Possible sorts embody:RCE—Remote code executionEoP—Elevation of privilegeID—Information disclosureDoS—Denial of serviceAnd now, onto the problems.02/01/2019 Security Patch DegreeCritical PointsThere had been 5 points, marked Critical, for this patch degree. The first three affected the Framework and had been marked as such as a result of it may allow a distant attacker, utilizing a malicious PNG picture file to execute arbitrary code throughout the context of a privileged course of. Related bugs (listed by CVE, Reference, and Type) are:The ultimate two points marked Critical are discovered within the System. These points had been marked as such as a result of they might allow a distant attacker, utilizing a malicious transmission, to execute arbitrary code throughout the context of a privileged course of. Related bugs (listed by CVE, Reference, and Type) are:High PointsThere are 9 points, marked High, for this patch degree. The first three are discovered within the Library. These points had been marked as such as a result of it may allow a distant attacker, utilizing a malicious file, to execute arbitrary code throughout the context of an unprivileged course of. Related bugs (listed by CVE, Reference, and Type) are:CVE-2017-17760 A-78029030 RCECVE-2018-5268 A-78029634 RCECVE-2018-5269 A-78029727 RCEThe remaining six points, marked High, are discovered within the System. These points had been marked as such as a result of it may allow a distant attacker, utilizing a malicious transmission, to execute arbitrary code throughout the context of a privileged course of. Related bugs (listed by CVE, Reference, and Type) are:02/05/2019 Security Patch DegreeCritical PointsThere had been six points, marked Critical for the 02/05/2019 patch degree. The first concern is discovered within the NVIDIA parts and was marked as such as a result of it may allow a distant attacker, utilizing a malicious file, to execute arbitrary code throughout the context of a privileged course of. The associated bug (listed by CVE, Reference, and Type) is:CVE-2018-6271 A-80198474 RCEThe subsequent concern, marked Critical, was discovered within the Qualcomm open supply parts. The particulars for this concern are described within the applicable Qualcomm safety bulletin or safety alert. The associated bug (listed by CVE, Reference, Qualcomm Reference, and Component) is:The remaining Critical points had been present in closed-source Qualcomm parts. The particulars for this concern are described within the applicable Qualcomm safety bulletin or safety alert. The associated bugs (listed by CVE, Reference and Qualcomm Reference) are:CVE-2018-11289 A-109678453CVE-2018-11820 A-111089815CVE-2018-11938 A-112279482CVE-2018-11945 A-112278875High PointsThere had been 21 points, marked High for the 02/05/2019 patch degree. The first 4 had been discovered within the kernel and marked as such as a result of it may allow a domestically put in malicious software to execute arbitrary code throughout the context of a privileged course of. Related bugs (listed by CVE, Reference, Type, and Component) are:CVE-2018-10879 A-116406063 EoP ext4 filesystemCVE-2019-1999 A-120025196 EoP Binder driverCVE-2019-2000 A-120025789 EoP Binder driverCVE-2019-2001 A-117422211 ID iomemThe subsequent three points, marked excessive, had been discovered within the NVIDIA parts. These points had been marked as such as a result of it may allow a distant attacker, utilizing a malicious file, to execute arbitrary code throughout the context of a privileged course of. Related bugs (listed by CVE, Reference, Type, and Component) are:CVE-2018-6267 A-70857947 EoP libnvomxCVE-2018-6268 A-80433161 EoP libnvomxCVE-2016-6684 A-117423758 ID kernel logThe subsequent 4 points, marked High, had been present in Qualcomm open supply parts. The particulars for these points are described within the applicable Qualcomm safety bulletin or safety alert. The associated bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:The remaining High points had been present in closed-source Qualcomm parts. The particulars for these concern are described within the applicable Qualcomm safety bulletin or safety alert. The associated bugs (listed by CVE, Reference and Qualcomm Reference) are:CVE-2018-11268 A-109678259CVE-2018-11845 A-111088838CVE-2018-11864 A-111092944CVE-2018-11921 A-112278972CVE-2018-11931 A-112279521CVE-2018-11932 A-112279426CVE-2018-11935 A-112279483CVE-2018-11948 A-112279144CVE-2018-5839 A-112279544CVE-2018-13904 A-119050566Improve and replaceThe builders will work diligently to patch the vulnerabilities, however it’s as much as finish customers to make sure the fixes discover their option to gadgets. Make certain you not solely verify for updates however that you simply apply them as quickly as they’re obtainable.
Mobile Enterprise Newsletter
BYOD, wearables, IoT, cellular safety, distant help, and the most recent telephones, tablets, and apps IT professionals have to find out about are a few of the subjects we’ll deal with.
Delivered Tuesdays and Fridays
Sign up at this time
Also see