For the first patch day in the new year, Google has numerous security holes in Android versions 8.0, 8.1, 9, 10 and 11 eliminated. Four of them are considered critical and could have been misused by attackers, among other things, to carry out denial-of-service attacks or to remotely execute code on vulnerable devices (remote code execution). With a “Moderate” exception, the remaining vulnerabilities are at high risk.

The Android Security Bulletin for January 2021 differentiates between two patch levels, the installation of which either part of the security holes (level 2021 – 01 – 01 ) or all gaps (Level 2021 – 01 – 05 ) fixes. According to Google, manufacturers of Android devices should allow this procedure more flexibility when patching.

Critical security holes According to Google’s assessment, the most dangerous of the closed security holes, CVE – 2021 – 0316, is located directly in the operating system code (section “System” in the bulletin). It enables attackers to execute remote code in the context of a privileged process. In order to carry out the attack, Google only indicates that the transmission of specially prepared data is necessary.

CVE – 2021 – 0316, as well as the critical gap CVE – 2021 – 11 (Denial-of-Service) in the Android framework, by raising the patch level to 2021 – 01 – 01 eliminated. To eliminate two further security holes with “Critical” classification in Qualcomm’s closed source components – CVE – 2020 – 11134 and CVE – 2020 – 11182 – is on the other hand level 2021 – 01 – 05 necessary.

Separate bulletin for Pixel devices As usual, a separate January bulletin with updates for Google’s Pixel devices has been published. It includes four additional security fixes that are automatically distributed to supported Pixel devices along with all other patches. There are also several functional patches from the areas of audio, graphics, sensors and telephony. Details are given in a post in the Pixel Support Forum.

In addition to Google, other manufacturers regularly publish security patches – but mostly only for some product series. Devices from other manufacturers receive the updates much later or, in the worst case, not at all.

According to Google, other manufacturers (“Android partners”) were informed of the vulnerabilities at least one month before the publication, as usual, and thus had sufficient time to implement the code. The source code for the patches is available in the Android Open Source Project (AOSP).

(ovw)