Google fixes multiple RCE vulnerabilities in Android

Google has patched 44 vulnerabilities in Android during the monthly patch cycle, including multiple vulnerabilities that allow remote code execution. It concerns two vulnerabilities in the Android system that allow an attacker to run arbitrary code on the device via a specially prepared file. Further details about the leaks have not been provided by Google.

In addition to vulnerabilities in its own Android code, Google also resolves vulnerabilities in parts of chipset manufacturers that Android uses with the monthly patch round. This month it concerns parts of MediaTek, Qualcomm, and Widevine DRM.

Widevine DRM is a technology developed by Google for protecting the copyright of digital content. The vulnerability has been labeled critical, meaning an attacker could execute arbitrary code on devices. Further information, such as how an attacker could exploit this vulnerability, is missing.

Multiple vulnerabilities in Qualcomm's software have also been labeled as critical. This concerns, among other things, a vulnerability in a Wi-Fi component of Qualcomm. This vulnerability, designated CVE-2021-1965, has an impact score of 9.8 and is remotely exploitable. While scanning BSSIDs, this vulnerability could cause a buffer overflow that could allow an attacker to execute his code.

Patch level

Google works with so-called patch levels, where a date indicates the patch level. Devices receiving the July updates will have '2021-07-01' or '2021-07-05' as patch level. In this case, manufacturers who want their devices to get this patch level will have to add all updates from the July Android bulletin to their own updates, and then roll them out to their users. The updates have been made available for Android 8.1, 9, 10 and 11.

According to Google, manufacturers of Android devices were informed about the vulnerabilities now fixed at least a month ago and have been able to develop updates in that time. However, that does not mean that all Android devices will receive these updates. Some devices are no longer supported with updates from the manufacturer or the manufacturer releases the updates at a later time.

Previous Post Next Post