Google patched several Critical and High severity vulnerabilities as part of its Android Security Bulletin for January 2018.
A total of 38 security flaws were resolved in the popular mobile OS this month, 20 as part of the 2018-01-01 security patch level and 18 in the 2018-01-05 security patch level. Five of the bugs were rated Critical and 33 were rated High risk.
Four of the vulnerabilities addressed with the 2018-01-01 security patch level were rated Critical, all of them remote code execution bugs. The remaining 16 issues resolved in this patch level were High risk elevation of privilege and denial of service vulnerabilities.
An elevation of privilege bug that Google patched in Android runtime could be exploited remotely to bypass user interaction requirements in order to gain access to additional permissions.
The most severe of the 15 vulnerabilities resolved in Media framework could allow an attacker using a specially crafted malicious file to execute arbitrary code within the context of a privileged process. These include 3 Critical remote code execution bugs, 4 High severity elevation of privilege issues, and 8 High risk denial of service flaws.
One other Critical remote code execution bug was patched in System, along with two High severity elevation of privilege flaws and one High risk denial of service vulnerability.
Only one of the flaws fixed with the 2018-01-05 security patch level was a Critical vulnerability. Along with 6 High severity flaws, it was affecting Qualcomm closed-source components.
The patch level also resolved a High risk denial of service issue in HTC components and High risk elevation of privilege bugs in LG components, Media framework, MediaTek components, and NVIDIA components (one in each).
The security patch level addressed three High severity elevation of privilege and one information disclosure bug in Kernel components, along with two High risk elevation of privilege vulnerabilities in Qualcomm components.
Google also resolved 46 vulnerabilities in Google devices as part of the Pixel / Nexus Security Bulletin—January 2018. Most of the flaws were rated Moderate severity, exception making issues addressed in Media framework (some were rated Low risk and others were rated High severity on older Android versions).
Impacted components included Framework (1 vulnerability), Media framework (16 vulnerabilities), System (1 flaw), Broadcom components (1 issue), HTC components (1 flaw), Kernel components (7 bugs), MediaTek components (1 issue), and Qualcomm components (18 vulnerabilities).
In addition to patching security flaws, the security bulletin also addressed functionality issues on Pixel devices. The update adjusted the handling of key upgrades in keystore and improved stability and performance after installing an OTA.
On Google devices, all of these issues are fixed as part of the security patch levels of 2018-01-05 or later.