Android November update fixes flaws galore – Naked Security

Studying Android’s November security bulletin, you’ll notice that there’s a fair amount to patch.

In total, there are 36 vulnerabilities assigned a CVE, and another 17 relating to Qualcomm components rather than Android itself.

Within Android, four rated are critical and 13 rated as high. If there’s a standout it might be CVE-2018-9527, simply because it’s a Remote Code Execution (RCE) vulnerability affecting all versions of from Android 7.0 (Nougat) onwards.

The other RCEs are CVE-2018-9531 and CVE-2018-9521, although both relate to version 9.0 (Pie), which mainly affects devices released since the summer.

CVE-2018-9531 turns out to be one of a clutch of CVEs arising from the Libxaac library, which Google says has been marked “experimental” and “and is no longer included in any production Android builds.”

Leaving aside the extra flaws added to the mix this month by Qualcomm, November looks very similar to every other month this year – plenty of fixes, exactly what one might expect.

The complicated bit

However, this being Android, things are never that simple because when these patches appear on your device – indeed whether they appear at all – will depend on several factors.

One factor is that November’s patches are for Android versions 7.0 and later: devices that either shipped with this after August 2016 or were upgraded later from an earlier version.

In other words, if your device runs Android 6.x, the three years Google commits to support that device with security updates ended in September and now you’re on your own.

Another factor is how quickly the device maker or mobile network gets around to making the November update available to customers.

To speed things up from the glacial patching of the past, in 2017 Google initiated something called Project Treble that allowed vendors to apply security patches without having to refresh the entire OS.