Google Patches ‘Critical’ Android Flaws

Google has patched a serious Android bug that could allow remote attackers to execute malicious code on devices running the software.

The bug, which affects the Media framework in Android versions 6.x Marshmallow to 8.1 Oreo, involves the use of a specially crafted file and can execute arbitrary code within the context of a privileged process.

Google ranked the issue as ‘critical’ based on the effect exploiting it would have if mitigations were turned off or bypassed. Security software such as Google Play Protect can block attacks attempting to exploit the bug.

The company said it wasn’t aware of any reports that the bug or the others released in its March security update were being actively exploited.

Eleven ‘critical’ flaws

Google’s Android Security Bulletin for March lists a total of 37 vulnerabilities, 11 of which are ranked as critical, including four affecting the Media framework.

Three of those bugs allowed remote code execution, with the fourth permitting attackers to obtain higher privileges, and thus to penetrate more deeply into the system.

Four bugs in the Android System allow attackers to execute remote code, as do two affecting Qualcomm components. Issues affecting Kernel and Nvidia components were considered less severe, with some allowing local malicious applications to execute code.

Google said it would release updated factory images for Pixel and Nexus devices immediately, with over-the-air (OTA) updates set to follow soon. Updates from other device manufacturers usually follow some time after Google’s initial patches.

Users who don’t want to wait for the OTA updates can manually apply the images to their devices using desktop-based software.

Google said it would release the patches to the Android Open Source Project (AOSP) repository within the next 48 hours.

What do you know about mobiles past and present? Try our quiz and find out!