This week, Google engineers released a December update for Android, where they fixed more than 40 problems in Android, including a critical DoS vulnerability.
So, 17 problems were fixed at the security level 2019-12-01 and another 27 at the security level 2019-12-05.
This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level”, — explain Android developers.
Of the seventeen problems fixed at security level 2019-12-01, six affected the Framework (privilege escalation and information disclosure), two were discovered as part of the Media framework (remote code execution), and seven were related to System (remote code execution, privilege escalation) and disclosures). In addition, two vulnerabilities were fixed in the Google Play updater.
The most serious of these vulnerabilities received identifier CVE-2019-2232: a critical DoS error that affected the Framework component in Android 8.0, 8.1, 9, and 10.
The vulnerability could be used by a remote attacker to provoke a constant denial of service, and for this it was enough to send a specially created message to the victim”, – explain Google experts.
The severity assessment is based on the the fact exploiting the vulnerability is possible on the affected device, assuming the platform and service mitigations are turned off for development purposes or are successfully bypassed.
Security level 2019-12-05 includes fixes for disclosure errors in the Framework and System, three privilege escalation issues in kernel components, and twelve other high-risk vulnerabilities in Qualcomm components. In addition, it also contains fixes for ten issues in Qualcomm’s closed-source components, three of which are considered critical and seven are high-risk.
In addition to vulnerabilities fixed in Android, in December 2019, Google also fixed a number of errors that appeared exclusively on Pixel devices.
Recommendations:
The use of many problems on Android is complicated by improvements in new versions of the Android platform. Therefore, the development team recommends that all users upgrade to the latest version of Android, whenever possible.
Read also: Vulnerability in popular Truecaller application endangers 150 million users
The Android security team actively monitors abuse with Google Play Protect and warns users of potentially dangerous applications. Google Play Protect is enabled by default on devices with Google Mobile Services and is especially important for users who install applications from outside Google Play.