Picture: Jack Wallen

June is busting out all over. Flowers are blooming, bushes are leafing, bees are pollinating, and bugs are creeping. After all, Android is not proof against that explosion of bugs. With the June Safety Bulletin comes a strong steadiness of crucial and excessive vulnerabilities that will or could not shock you. Let’s dive proper into this bulletin to see what’s what.

Earlier than we dive into what’s included with this month’s bulletin, it is at all times good to know what safety launch is put in in your machine. To no shock, my day by day driver, an Important PH-1, is operating the most recent safety patch (June 5, 2018). To search out out what patch degree you’re operating, open Settings and go to About Cellphone. Scroll down till you see Android safety patch degree (Determine A).

Determine A

Figure AFigure A

The Important PH-1 at all times has an up-to-date Safety Patch.

Terminology

You’ll find several types of vulnerabilities listed. Potential varieties embody:

  • RCE—Distant code execution
  • EoP—Elevation of privilege
  • ID—Info disclosure
  • DoS—Denial of service

SEE: Information security incident reporting policy (Tech Professional Analysis)

And now, onto the problems.

2018-06-01 safety patch degree

Essential points

There are solely 6 vulnerabilities marked Essential for Jun 01. It ought to come as no shock that half of them are discovered within the Media Framework. These RCE vulnerabilities are marked as Essential, as a result of they’ll allow a distant attacker, utilizing a malicious file, to execute arbitrary code inside the context of a privileged course of. The associated bugs are (listed by CVE and Reference quantity):

The remaining three Essential vulnerabilities are all related to the System and are the identical sort as the problems that have an effect on the Media Framework (RCE). This implies these vulnerabilities are marked as Essential, as a result of they’ll allow a distant attacker, utilizing a malicious file, to execute arbitrary code inside the context of a privileged course of. Associated bugs are (listed by CVE and Reference quantity):

Excessive Points

Subsequent comes the vulnerabilities marked as Excessive for June 01. There are 14 such points, related to three totally different programs. The primary have an effect on the Android Framework. These points are labeled Excessive, as a result of they may allow a domestically put in malicious utility to bypass person interplay, with the intention to achieve further permissions. Associated bugs are (listed by CVE, Reference, and Sort):

Subsequent we’re again to our expensive previous buddy, the Media Framework. There are 5 vulnerabilities, marked Excessive, that have an effect on this method. Every of those is marked as such, as a result of essentially the most extreme might allow a distant attacker, utilizing a malicious file, to execute arbitrary code inside the context of a privileged course of. Associated bugs are (listed by CVE, Reference, and Sort):

The Android System wasn’t free and away from points marked Excessive. In reality, there are 5 vulnerabilities on this class, essentially the most extreme of which might allow a distant attacker, utilizing a malicious file, to execute arbitrary code inside the context of a privileged course of. Associated bugs are (listed by CVE, Reference, and Sort):

SEE: IT pro’s guide to effective patch management (free PDF) (TechRepublic

2018-06-05 safety patch degree

Essential Points

There are 6 vulnerabilities marked Essential for the June 5 safety patch. The primary of which is related to LG Elements and will allow a neighborhood attacker to bypass person interplay necessities to achieve entry to further permissions. The associated bug is listed by CVE, Reference, and Sort):

  • CVE-2018-9364 A-69163111* EoP

There may be additionally a single Essential vulnerability related to a MediaTek element. This problem might permit a distant attacker to execute arbitrary code inside the context of the Trusted Computing Base (which incorporates , firmware, and/or software program). The associated bug is (listed by CVE, Reference, Sort, and Part):

  • CVE-2018-9373 A-71867247* M-ALPS03740330 EoP Mediatek WLAN TDLS

The remaining Essential points are all discovered inside varied Qualcomm elements and will allow a neighborhood attacker to bypass person interplay to achieve entry to further permissions. The associated bugs are (listed by CVE, Reference, Qualcomm Reference, Sort, and Part):

  • CVE-2017-18158 A-68992400 QC-CR#2104056 EoP Bootloader
  • CVE-2018-3569 A-74237215 QC-CR#2161920 EoP WLAN Host
  • CVE-2017-18155 A-66734153*QC-CR#1050893 RCE codec
  • CVE-2018-5854 A-71800779 QC-CR#2183877 EoP Bootloader

Excessive Points

And now we give attention to the vulnerabilities marked Excessive. The primary 4 are related to varied kernel elements and will allow a neighborhood malicious utility to execute arbitrary code inside the context of a privileged course of. Associated bugs are (listed by CVE, Reference, Sort, and Part):

The Media Framework was found to have a single Excessive problem, which might allow a domestically put in malicious utility to bypass person interplay to achieve entry to further permissions. The associated bug is (listed by CVE, Reference, and Sort):

  • CVE-2018-9409 A-63144992* EoP Excessive

MediaTek elements have been hit by eight vulnerabilities marked Excessive, essentially the most extreme of which might allow a distant attacker to execute arbitrary code inside the context of the Trusted Computing Base. Associated bugs are (listed by CVE, Reference, Sort, and Part):

  • CVE-2018-9366 A-72314499* M-ALPS03762526 EoP IMSA
  • CVE-2018-9367 A-72314219* M-ALPS03762692 EoP Cameratool CCAP
  • CVE-2018-9368 A-70727446* M-ALPS03730693 EoP mtksocaudio
  • CVE-2018-9369 A-70514573* M-ALPS03666161 EoP bootloader
  • CVE-2018-9370 A-70515281* M-ALPS03693488 EoP bootloader
  • CVE-2018-9371 A-70515752* M-ALPS03683903 EoP Bootloader
  • CVE-2018-9372 A-70730215* M-ALPS03676237 EoP bootloader

Subsequent we see NVIDIA with three vulnerabilities marked Excessive, every of which might allow a domestically put in malicious utility to execute arbitrary code inside the context of a privileged course of. Associated bugs are (listed by CVE, Reference, Sort, and Part):

  • CVE-2017-6290 A-69559414* N-200373895 EoP TLK TrustZone
  • CVE-2017-6294 A-69316825* N-200369095 EoP NVIDIA Tegra X1 TZ
  • CVE-2017-6292 A-69480285* N-200373888 EoP TLZ TrustZone

Lastly we’re again to Qualcomm, topping out the chart with 9 vulnerabilities marked Excessive. Every of those vulnerabilities might allow a neighborhood attacker to bypass person interplay, thereby getting access to further permissions. Associated bugs are (listed by CVE, Reference, Qualcomm Reference, Sort, and Part):

  • CVE-2017-13077 A-63165064* EoP WLAN
  • CVE-2018-5896 A-70399602*QC-CR#2163793 ID Diag driver
  • CVE-2018-5829 A-74237546 QC-CR#2151241 ID WLAN
  • CVE-2017-18159 A-68992405 QC-CR#2105697 EoP Bootloader
  • CVE-2017-18158 A-67782849*QC-CR#2104056 EoP Bootloader
  • CVE-2018-5835 A-74237148 QC-CR#2153553 EoP WLAN Host
  • CVE-2018-5834 A-74237804 QC-CR#2153326 EoP WLAN
  • CVE-2018-5831 A-74237606 QC-CR#2161310 EoP GPU driver
  • CVE-2018-5830 A-74237532 QC-CR#2157917 EoP WLAN Host

Improve and replace

The builders will work diligently to patch the vulnerabilities, however it’s as much as the top customers to make sure the fixes discover their solution to gadgets. Ensure you not solely verify for updates, however that you just apply them as quickly as they’re out there.

Additionally see:

Shop Amazon