Google has published the October Android Security Bulletin following its earlier launch of the Factory and OTA images for the October Android Security Patch for its Nexus and Pixel devices, shedding some light on a little more of the detail about what this month’s patch attempts to fix in terms of vulnerabilities and other security issues and risks. As is always the case, partners of Google’s Android program are notified about a month ahead of when Google publishes these bulletins, so any non-Pixel or non-Nexus devices shouldn’t have to wait too long for their patches to be pushed out, though that will ultimately depend on how good those OEMs are at sending out these patches, as some are much quicker at it than others.
Another good thing to take note of is that while the Factory Images and OTA images are now live, AOSP links are not. Google does however mention that it will post the AOSP links to the bulletin as soon as the links are available, so anyone interested in getting their hands on them will want to keep an eye on the security bulletin as they could show up later today or sometime between now and the next week.
In regards to the security issues that have been fixed, the bulletin showcases that there are a handful of critical issues that needed to be resolved in the media framework category, along with a couple of critical issues in the Qualcomm Components category. Also worth mentioning is that not all of these issues are part of the same patch framework. The critical vulnerabilities in the Media Framework category for example, are part of the October 1st security patch framework, while the Qualcomm Components vulnerabilities are part of the October 5th security patch framework. If you’ve never gone over a security bulletin before but were curious to start checking them out, Google has each vulnerability associated with a type code to denote what type of risk or issue it is. These can be a bit confusing, so Google has also included a handy guide that helps to label and highlight what each type code means. RCE, for example, is Google’s abbreviation for Remote Code Execution, while DoS stands for Denial of Service, and so on. You can find this table of references towards the bottom of the security bulletin if you’re interested.