Google in the Android Open Source Project (AOSP) fixed three critical remote code execution (RCE) in the Media framework and another one in the Android system.
In all, Google repaired 33 security susceptibilities in the Android system, framework, library, media framework, Qualcomm components, and Qualcomm closed-source components, all of them addressed in the 2019-07-01 and 2019-07-05 security patch levels.
“This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly,” says the security bulletin.
The July 2019 Android Security Bulletin says that the most severe of these issues is a serious security susceptibility in Media framework that could allow a remote attacker using a particularly created file to perform arbitrary code within the context of a privileged process.
While the CVE-2019-2106, CVE-2019-2107, and CVE-2019-2109 serious RCE faults influence all Android 7.0 or later devices with Android 9.0 not being impacted by the latter, the fourth CVE-2019-2111 security issue present in the Android system impacts only devices running Android 9.0.
The rest of the 33 susceptibilities repaired in this security update are either advancement of privilege faults, can lead to information revelation, or haven’t yet been confidential, and users should be harmless against possible attacks after applying the latest Android security patch.
No reports of exploitation before revelation
According to the July 2019 Android Security Bulletin, there were no “reports of active customer exploitation or abuse of these newly reported issues.”
The bulletin also elucidates that all Android partners were warned of the security issues repaired and revealed in this update at least a month prior to today’s public revelation.
Additionally, “source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours” with the AOSP links to be reviewed to as soon as they are available.