Released in July Android update (levels 2019-07-01 and 2019-07-05) brought patches for 33 vulnerabilities in OS itself, libraries, frameworks, and also for Qualcomm closed and open components.Among fixed issues were nine critical RCE bugs.
According to the official Android Security Bulletin, the most dangerous of all vulnerabilities is a bug in the Media framework.
“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed”, — reported Android developers.
Three of the nine critical RCE bugs were discovered in the Media framework. Thus, vulnerabilities CVE-2019-2106 and CVE-2019-2107 threaten all versions of Android, ranging from 7.0 to 9.0. However, the third problem, CVE-2019-2109, does not pose a threat for 9.0 version.
The last, fourth critical bug found directly in Android, received the identifier CVE-2019-2111 and was found in the system itself. This issue is dangerous only for users of Android 9.0.
The remaining serious issues concern Qualcomm components.
“We have had no reports of active customer exploitation or abuse of these newly reported issues”, — ensure developers.
Other fixed this month issues may lead to disclosure and information leakage or privileges’ escalation.