Many crucial vulnerabilities in remote execution of code have been resolved in Android this week with the announcement of the security patches scheduled for July 2020, including three in the media framework and system components.
The most serious of the flaws affects the part of the system and may allow an attacker to execute code with high privileges, via a specially designed file. Google has, in fact, addressed two critical system component flaws, one affecting Android 8.0 and newer releases (CVE-2020-0224), and the other only affecting Android 10 (CVE-2020-0225).
A third flaw discussed in the program was a problem of high-severity disclosure of information (CVE-2020-0107), which only affects Android 10.
In addition to the patch for a critical vulnerability in remote code execution (CVE-2020-9589), the media system has provided a fix for a high-risk privilege bug (CVE-2020-0226) affecting Android 10 users.
All five vulnerabilities are fixed on devices running Safety Patch Tier 2020-07-01. In the framework component, the same patch level fixes two high-severity elevations of privilege flaws (impacting on Android 8.0 and newer iterations).
The second part of this month’s update, the security patch level 2020-07-05, brings fixes for two other critical remote code execution bugs (CVE-2019-9501 and CVE-2019-9502), which affect firmware on Broadcom.
The Qualcomm WLAN part fixed two other critical issues (CVE-2020-3698 and CVE-2020-3699). The update also addresses two problems related to high-severity in the Qualcomm kernel (CVE-2019-10580) and WLAN (CVE-2020-3700).
Devices modified to security patch level 2020-07-05 will also provide patches for high-risk defects in kernel components (three bugs), MediaTek components (three flaws), and closed-source components of Qualcomm (five problems). Overall, the updates released this month fix 25 vulnerabilities.
Besides these updates, Pixel devices running the security patch level 2020-07-05 will receive fixes for four moderate-severity bugs affecting Qualcomm components and closed-source components.