Google Patches 9 Critical Android Vulnerabilities in April 2018 Update
Google this week has released its April 2018 set of Android security patches which address more than two dozen Critical and High severity vulnerabilities.
19 vulnerabilities were found to affect components such as Android runtime, Framework, Media framework, and System. These include 7 issues rated Critical and 12 considered High risk. All of the flaws were patched as part of the 2018-04-01 security patch level.
Successful exploitation of these security bugs could result in elevation of privileges, information disclosure, remote code execution, and denial of service.
“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes in its advisory.
Six of the Critical severity bugs were remote code execution vulnerabilities, while the seventh was an elevation of privilege flaw. Impacted platform versions include Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1.
Google also addressed 9 vulnerabilities as part of the 2018-04-05 security patch level, namely 2 Critical and 7 High severity. The issues impact Broadcom, Kernel, and Qualcomm components.
Both Critical bugs are remote code execution flaws, while the High severity issues include elevation of privilege and information disclosure vulnerabilities.
“The most severe vulnerability in this section could enable a proximate attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes.
The 2018-04-05 security patch level also includes patches for 34 vulnerabilities in Qualcomm closed-source components: 6 rated Critical and 28 assessed with a High risk severity level.
Google also included a Qualcomm closed-source components 2014-2016 cumulative update as part of its April 2018 Android security bulletin, although many devices have already addressed these issues in previous updates.
“These vulnerabilities affect Qualcomm components and were shared by Qualcomm with their partners through Qualcomm AMSS security bulletins or security alerts between 2014 and 2016. They are included in this Android security bulletin in order to associate them with a security patch level,” Google explains.
Over 250 vulnerabilities were included in the cumulative update, most rated High severity. One of the bugs was rated Critical risk and 9 were rated Moderate severity.
This month, Google also addressed over 40 vulnerabilities in the Nexus and Pixel devices, all rated Moderate severity (four of the flaws have a High severity rating on Android 6.0 and 6.0.1 devices). Impacted components include Framework, Media framework, System, and Broadcom, Kernel, and Qualcomm components.
On top of these security fixes, the Internet giant also included over 70 functional updates for Google devices as part of the April 2018 Pixel / Nexus Security Bulletin.
Ionut Arghire is an international correspondent for SecurityWeek.