Android Security Bulletin August 2018: What you need to know
The Essential PH-1, running Android Pie, is not usually out of date. Save Android battery by limiting background activity Watch Now As the Summer draws near its end, Android vulnerabilities continue to be a part of the platform. Although August did s

Save Android battery by limiting background activity Watch Now

As the Summer draws near its end, Android vulnerabilities continue to be a part of the platform. Although August did see a few less Critical bugs, there were plenty of flaws marked High to balance out the sheet. Let's dive into those vulnerabilities and see what's what.

Before we take that dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device. To no surprise, my daily driver, an Essential PH-1, is running the a security patch that is now one month behind (July 5, 2018).

To find out what patch level you are running, open Settings and go to about Phone. If you're using Android Pie, that location has changed to Settings | Security & Location | Security updated. Scroll down until you see Android security patch level (Figure A).

SEE: Information security policy (Tech Pro Research)

Figure A

Terminology

You will find different types of vulnerabilities listed. Possible types include:

RCE--Remote code executionEoP--Elevation of privilegeID--Information disclosureDoS--Denial of service

And now, onto the issues.

2018-08-01 security patch level

The last two Critical flaws are found in the System and, via a malicious file, could enable a remote attacker to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

CVE-2018-9446 A-80145946 RCE CVE-2018-9450A-79541338 RCE

The next two vulnerabilities marked High affect the Media framework and could, via a malicious file, enable a remote attacker to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

CVE-2018-9444 A-63521984 DoSCVE-2018-9437A-78656554 DoS

The final vulnerabilities, marked High, affect the System and could, via a malicious file, enable a remote attacker to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

CVE-2018-9459A-66230183 EoPCVE-2018-9455A-78136677 DoSCVE-2018-9436A-79164722 ID HighCVE-2018-9454A-78286118 ID HighCVE-2018-9448A-79944113 ID HighCVE-2018-9453A-78288378 ID High2018-08-05 security patch level

Information on Qualcomm closed source issues must come directly from the manufacturer.

The next group of High vulnerabilities affect open source Qualcomm components and could lead to remote information disclosure. Related bugs are (listed by CVE, Reference, Qualcomm Reference, Type, and Component):

CVE-2018-5383 A-79421580 QC-CR#2209635 ID BluetoothCVE-2017-13077 A-78284758 QC-CR#2133033 ID WLANCVE-2017-18281 A-78242172 QC-CR#856388 ID VideoCVE-2018-11260 A-72997254 QC-CR#2204872 EoP WLAN

Finally, there are a number of vulnerabilities, marked High, that affect Qualcomm closed source components. To find out more about these issues, consult official Qualcomm channels. Related bugs are (listed by CVE and Reference:

CVE-2017-18295 A-78240386CVE-2017-18283 A-78240411CVE-2017-18294 A-78240247CVE-2017-18293 A-78240316CVE-2017-18292 A-78241027CVE-2017-18298 A-78239976CVE-2017-18299 A-78240418CVE-2017-18304 A-78239975CVE-2017-18303 A-78240396CVE-2017-18301 A-78238455CVE-2017-18302 A-78239233CVE-2017-18300 A-78239508CVE-2017-18297 A-78240275CVE-2017-18280 A-78285512CVE-2017-18282 A-78241591CVE-2017-18309 A-73539064CVE-2017-18308 A-73539310CVE-2018-11305 A-72951032CVE-2018-11258 A-72951054Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.


...

This article is republished from www.techrepublic.com under a Creative Commons license.

RELATED POST