Google has finally released its distinct collection of Android security patches for the month of April 2018. This set of security patches addresses multiple “High” and “Critical” severity vulnerabilities.
According to this report, a total of 19 bugs were identified to affect components like Framework, Android runtime, System and Media framework.
Among the 19, seven of the issues were categorized as Critical, while some other 12 were categorized as High risk. All these flaws were collectively patched as part of the “security patch level 2018-04-01.”
The company confirmed that the firmware updates outlined are available, and all Nexus and Pixel devices will receive them through over-the-air (OTA) updates.
As for the other (Android) devices, the updates will be dispatched through their respective wireless carriers and device manufactures, where applicable.
Types of Vulnerabilities
In the April Android Security Update release, Google pinpointed that if these featured security bugs were successfully exploited, it could lead to information disclosures, elevation of privileges, service denial and remote code execution.
For instance, the company stated that of the discovered bugs, the most adverse one could allow a remote malicious attacker to effect arbitrary code within the setting of a privileged procedure, by use of an ideally-tailored file.
Of the many bugs in the Android Security Update which were listed “Critical,” six of them were identified as remote code execution flaws. The last one in the crop was marked as a privilege flaw elevation.
Among the platforms, versions that were impacted by these bugs include Android 8.1, 8.0, 7.1.2, 7.1.1, 7.0, 6.0.1 and Android 6.0.
Bugs Range from ‘High’ to ‘Critical’ in Severity
In the Android Security Update, Google also highlighted nine distinct bugs as also featured in this mix.
In essence, they were categorized as either “High Severity,” which had a total of seven bugs, or “Critical Severity,” which had only two. These bugs were identified to primarily impact Kernel, Qualcomm and Broadcom components.
Both of these “Critical” bugs belong to the class of remote code execution flaws, and as for the “High Severity” bugs, they comprised a combination of information disclosure and elevation of privilege flaws.
As mentioned in the Android Security Update, the most severe bug in this category can result in arbitrary code execution by a remote attacker within a privileged procedure context, especially if the attacker is using a tailor-made file.
The Android Security Update also features additional patches for 34 vulnerabilities in Qualcomm locked-source modules.
Of the 34, 28 were labeled as “High-Risk Severe” after a comprehensive evaluation, with the remaining six falling in the “Critical Risk” severity level respectively.
Qualcomm Cumulative Update
Furthermore, April’s Android Security Update also included a “2014-2016 Qualcomm closed-source components cumulative update.” This is despite numerous devices having addressed these concerns already in the previously released bulletins.
This report explains that these vulnerabilities particularly have an impact on Qualcomm components. Qualcomm had shared them courtesy of the Qualcomm AMSS security alerts or security bulletins released between 2014 and 2016.
Google further confirmed that their inclusion in this year’s bulletin was intentional and was in order to link them to security patch levels.
The cumulative update included more than 250 bugs, with many of them categorized as “High Severity.” Of the 250, one stood out and was dubbed “Critical Risk” while some other nine bugs were cited as “Moderate Severity.”
Security Bulletin Also Tackles Pixel & Nexus Bugs
In the month of April 2018 alone, the global tech giant did also address more than 40 bugs common in the Pixel and Nexus devices as well.
A separate bulletin release also outlines more than 70 functional updates for Nexus and Pixel devices—including Nexus 5X, 6P, the Pixel, the Pixel 2, XL, 2 XL, plus the Pixel C tablet.
This report is dubbed Nexus/Pixel April 2018 Security Bulletin.