Google Patches High-Risk Android Security Flaws
Google this week pushed out a security-themed Android update with fixes for more than 30 security flaws that expose mobile users to a range of malicious hacker attacks.
The latest Android update provides documentation on 33 security bugs, some serious enough to cause privilege escalation or information disclosure compromises.
The most important of these is a bug in the Media framework that could lead to elevation of privilege on Android 8.1 and 9 devices, or information disclosure, on Android 10 and 11. The issue is tracked as CVE-2021-0519.
“The most severe of these issues is a high security vulnerability in the Media Framework component that could enable a local malicious application to bypass operating system protections that isolate application data from other applications,” according to a Google advisory.
The 2021-08-01 security patch level also includes fixes for three high severity elevation of privilege flaws in Framework, and a pair of elevation of privilege and three information disclosure bugs in System. All five are rated high severity.
The second part of this month’s security update, the 2021-08-05 security patch level, brings fixes for a total of 24 vulnerabilities affecting Kernel components, MediaTek components, Widevine DRM, Qualcomm components, and Qualcomm closed-source components.
The most severe of these issues is a use after free that may allow an attacker to execute arbitrary code with kernel privileges.
Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In addition to the vulnerabilities resolved with the August 2021 Android Security Bulletin, Google also fixed three medium-severity bugs specific to Google devices. These include an elevation of privilege in the Pixel component, and two other unspecified vulnerabilities in Qualcomm closed-source components.
All of these issues are fixed on Pixel devices running a patch level of 2021-08-05, Google notes.