More

    Android Security Bulletin June 2018: What you need to know

    Picture: Jack Wallen

    June is busting out all over. Flowers are blooming, bushes are leafing, bees are pollinating, and bugs are creeping. After all, Android is not proof against that explosion of bugs. With the June Safety Bulletin comes a strong steadiness of crucial and excessive vulnerabilities that will or could not shock you. Let’s dive proper into this bulletin to see what’s what.

    Earlier than we dive into what’s included with this month’s bulletin, it is at all times good to know what safety launch is put in in your machine. To no shock, my day by day driver, an Important PH-1, is operating the most recent safety patch (June 5, 2018). To search out out what patch degree you’re operating, open Settings and go to About Cellphone. Scroll down till you see Android safety patch degree (Determine A).

    Determine A

    Figure AFigure A

    The Important PH-1 at all times has an up-to-date Safety Patch.

    Terminology

    You’ll find several types of vulnerabilities listed. Potential varieties embody:

    • RCE—Distant code execution
    • EoP—Elevation of privilege
    • ID—Info disclosure
    • DoS—Denial of service

    SEE: Information security incident reporting policy (Tech Professional Analysis)

    And now, onto the problems.

    2018-06-01 safety patch degree

    Essential points

    There are solely 6 vulnerabilities marked Essential for Jun 01. It ought to come as no shock that half of them are discovered within the Media Framework. These RCE vulnerabilities are marked as Essential, as a result of they’ll allow a distant attacker, utilizing a malicious file, to execute arbitrary code inside the context of a privileged course of. The associated bugs are (listed by CVE and Reference quantity):

    The remaining three Essential vulnerabilities are all related to the System and are the identical sort as the problems that have an effect on the Media Framework (RCE). This implies these vulnerabilities are marked as Essential, as a result of they’ll allow a distant attacker, utilizing a malicious file, to execute arbitrary code inside the context of a privileged course of. Associated bugs are (listed by CVE and Reference quantity):

    Excessive Points

    Subsequent comes the vulnerabilities marked as Excessive for June 01. There are 14 such points, related to three totally different programs. The primary have an effect on the Android Framework. These points are labeled Excessive, as a result of they may allow a domestically put in malicious utility to bypass person interplay, with the intention to achieve further permissions. Associated bugs are (listed by CVE, Reference, and Sort):

    Subsequent we’re again to our expensive previous buddy, the Media Framework. There are 5 vulnerabilities, marked Excessive, that have an effect on this method. Every of those is marked as such, as a result of essentially the most extreme might allow a distant attacker, utilizing a malicious file, to execute arbitrary code inside the context of a privileged course of. Associated bugs are (listed by CVE, Reference, and Sort):

    The Android System wasn’t free and away from points marked Excessive. In reality, there are 5 vulnerabilities on this class, essentially the most extreme of which might allow a distant attacker, utilizing a malicious file, to execute arbitrary code inside the context of a privileged course of. Associated bugs are (listed by CVE, Reference, and Sort):

    SEE: IT pro’s guide to effective patch management (free PDF) (TechRepublic

    2018-06-05 safety patch degree

    Essential Points

    There are 6 vulnerabilities marked Essential for the June 5 safety patch. The primary of which is related to LG Elements and will allow a neighborhood attacker to bypass person interplay necessities to achieve entry to further permissions. The associated bug is listed by CVE, Reference, and Sort):

    • CVE-2018-9364 A-69163111* EoP

    There may be additionally a single Essential vulnerability related to a MediaTek element. This problem might permit a distant attacker to execute arbitrary code inside the context of the Trusted Computing Base (which incorporates , firmware, and/or software program). The associated bug is (listed by CVE, Reference, Sort, and Part):

    • CVE-2018-9373 A-71867247* M-ALPS03740330 EoP Mediatek WLAN TDLS

    The remaining Essential points are all discovered inside varied Qualcomm elements and will allow a neighborhood attacker to bypass person interplay to achieve entry to further permissions. The associated bugs are (listed by CVE, Reference, Qualcomm Reference, Sort, and Part):

    • CVE-2017-18158 A-68992400 QC-CR#2104056 EoP Bootloader
    • CVE-2018-3569 A-74237215 QC-CR#2161920 EoP WLAN Host
    • CVE-2017-18155 A-66734153*QC-CR#1050893 RCE codec
    • CVE-2018-5854 A-71800779 QC-CR#2183877 EoP Bootloader

    Excessive Points

    And now we give attention to the vulnerabilities marked Excessive. The primary 4 are related to varied kernel elements and will allow a neighborhood malicious utility to execute arbitrary code inside the context of a privileged course of. Associated bugs are (listed by CVE, Reference, Sort, and Part):

    The Media Framework was found to have a single Excessive problem, which might allow a domestically put in malicious utility to bypass person interplay to achieve entry to further permissions. The associated bug is (listed by CVE, Reference, and Sort):

    • CVE-2018-9409 A-63144992* EoP Excessive

    MediaTek elements have been hit by eight vulnerabilities marked Excessive, essentially the most extreme of which might allow a distant attacker to execute arbitrary code inside the context of the Trusted Computing Base. Associated bugs are (listed by CVE, Reference, Sort, and Part):

    • CVE-2018-9366 A-72314499* M-ALPS03762526 EoP IMSA
    • CVE-2018-9367 A-72314219* M-ALPS03762692 EoP Cameratool CCAP
    • CVE-2018-9368 A-70727446* M-ALPS03730693 EoP mtksocaudio
    • CVE-2018-9369 A-70514573* M-ALPS03666161 EoP bootloader
    • CVE-2018-9370 A-70515281* M-ALPS03693488 EoP bootloader
    • CVE-2018-9371 A-70515752* M-ALPS03683903 EoP Bootloader
    • CVE-2018-9372 A-70730215* M-ALPS03676237 EoP bootloader

    Subsequent we see NVIDIA with three vulnerabilities marked Excessive, every of which might allow a domestically put in malicious utility to execute arbitrary code inside the context of a privileged course of. Associated bugs are (listed by CVE, Reference, Sort, and Part):

    • CVE-2017-6290 A-69559414* N-200373895 EoP TLK TrustZone
    • CVE-2017-6294 A-69316825* N-200369095 EoP NVIDIA Tegra X1 TZ
    • CVE-2017-6292 A-69480285* N-200373888 EoP TLZ TrustZone

    Lastly we’re again to Qualcomm, topping out the chart with 9 vulnerabilities marked Excessive. Every of those vulnerabilities might allow a neighborhood attacker to bypass person interplay, thereby getting access to further permissions. Associated bugs are (listed by CVE, Reference, Qualcomm Reference, Sort, and Part):

    • CVE-2017-13077 A-63165064* EoP WLAN
    • CVE-2018-5896 A-70399602*QC-CR#2163793 ID Diag driver
    • CVE-2018-5829 A-74237546 QC-CR#2151241 ID WLAN
    • CVE-2017-18159 A-68992405 QC-CR#2105697 EoP Bootloader
    • CVE-2017-18158 A-67782849*QC-CR#2104056 EoP Bootloader
    • CVE-2018-5835 A-74237148 QC-CR#2153553 EoP WLAN Host
    • CVE-2018-5834 A-74237804 QC-CR#2153326 EoP WLAN
    • CVE-2018-5831 A-74237606 QC-CR#2161310 EoP GPU driver
    • CVE-2018-5830 A-74237532 QC-CR#2157917 EoP WLAN Host

    Improve and replace

    The builders will work diligently to patch the vulnerabilities, however it’s as much as the top customers to make sure the fixes discover their solution to gadgets. Ensure you not solely verify for updates, however that you just apply them as quickly as they’re out there.

    Additionally see:

    Recent Articles

    Dead Cells Studio Teams With Other Indie Devs For The Triple-I Showcase

    30+ impartial studios are teaming as much as...

    Killer Klowns from Outer Space: The Game honors a cult classic | Digital Trends

    IllFonic Publishing The great thing about the film Killer Klowns from Outer Space is the way in which the title tells you precisely what you'll...

    How to turn your laptop into a desktop workstation

    The massive distinction between laptops and desktops is that the latter are, effectively, massive. You want a desk or a desk and equipment like...

    Why even hybrid RTO mandates are hurting overall job satisfaction

    Though most firms have settled on return-to-office (RTO) insurance policies now that COVID-19 is now not thought-about a world well being emergency, many proceed...

    Chromebooks are about to change in a massive way

    Beyond the Alphabet(Image credit score: Nicholas Sutrich / Android Central)Beyond the Alphabet is a weekly column that focuses on the tech world each in...

    Related Stories

    Stay on op - Ge the daily news in your inbox