Lucene search

threatpostTom SpringTHREATPOST:19E9CF168D73D45637207967CAAFE0F4
HistoryMay 08, 2019 - 5:35 p.m.

Google Patches Critical Remote Code-Execution Flaws in Android

Tom Spring





Google patched four remote code-execution (RCE) flaws as part of its May Android Security Bulletin.

Three of the critical bugs are tied to the System portion of the Android platform architecture, responsible for core apps such as the dialer, email and camera.

A fourth critical RCE bug opens the door for an attack on the Android operating system’s Media framework.

Other details of the patches haven’t been disclosed, but in all, the four patches (CVE-2019-2045, CVE-2019-2046, CVE-2019-2047, CVE-2019-2044) will be sent over the air to Google Pixel handsets over the next few days, compatible for devices running OS versions 7, 8 and 9.

However, other devices will remain vulnerable temporarily: Patches for Android handsets made by manufacturers such as Samsung and LG should be received over the next few weeks.

Earlier this week Google also released patches for 10 bugs rated high, and one ranked moderate; and it issued patches for flaws identified in third-party components from vendors such as NVIDIA, Broadcom and Qualcomm, bringing the total number of fixed CVEs to 30.

Google Retools Patch Deployment

On Tuesday, Google said its next-generation mobile operating system, Android Q, revamps the way it delivers direct over-the-air updates.

Security updates have often been a pain point for Android devices; because the operating system is utilized by so many device manufacturers, it takes time for various manufacturers to push out updates. Those updates are delivered over-the-air, but have so far been limited to monthly updates. That’s about to change with Google’s efforts to streamline the patching process by creating new update-friendly modules in its OS, capable of receiving direct over-the-air patches whenever needed.

LG and Samsung Play Patch Catchup

For its part, LG said that users will receive patches for patches for 89 CVEs as part of the company’s May patching schedule. Twelve of the CVEs are rated critical and include those patched by Google this month. However, eight critical CVEs (CVE-2019-2029, CVE-2018-11940, CVE-2018-11976, CVE-2018-12004, CVE-2018-13886, CVE-2018-13887, CVE-2018-11271, CVE-2019-2250) appear to be unique to LG’s security bulletin.

Similarly, Samsung will push out seven critical patches that include an additional three CVEs (CVE-2018-13886, CVE-2018-11271, CVE-2018-11940). In all, Samsung patched 76 bugs, compared to the 30 CVEs that Google patched that include the third-party components.

Google Thanks Researchers

As part of its May Security Bulletin, Google also thanked researchers behind the bugs discovered.

Chong Wang ( of Chengdu Security Response Center, Qihoo 360 Technology Co. Ltd. – CVE-2019-2053

Cusas of L.O. Team – CVE-2019-2044

derrek (@derrekr6) – CVE-2018-6243, CVE-2018-13898, CVE-2018-13908

Evgenii Stepanov of Google – CVE-2019-2049

Jann Horn of Google Project Zero – CVE-2019-2054

Ji Zhang (@opc0nt7) and Mingjian Zhou (周明建) (@Mingjian_Zhou) of C0RE Team – CVE-2019-2050

Joshua Steiner – CVE-2019-2043

Pengfei Ding (丁鹏飞) of Huawei – CVE-2018-11955

Wei Liu (刘炜) and Yongke Wang (王永科) (@Rudykewang) of Tencent Security Xuanwu Lab (腾讯安全玄武实验室) – CVE-2019-2045, CVE-2019-2046, CVE-2019-2047, CVE-2019-2051, CVE-2019-2052

Wen Guanxing of Pangu LAB – CVE-2018-13910

Xiling Gong of Tencent Blade Team – CVE-2018-5912, CVE-2019-2256