Google has put out the official Android Security Bulletin for November 5, 2018, and it contains 36 new security fixes compared to the patch from October. Of these fixes, four are critical-level, and pertain to exploits that would allow unauthorized elevation of privileges and remote code execution by attackers. These four fixes are all in the media framework category. Additionally, 17 of these fixes apply to Qualcomm-specific components. This does not necessarily mean that the issues fixed can only be found on devices with Qualcomm processors, of course; Qualcomm components for networking and other functions have found their way into many chipsets these days. Finally, the Android team managed to find a large number of severe vulnerabilities in the fairly new Libxaac media compression and decoding library, and it has thus been marked as experimental and removed from all production Android builds going forward. If your build has it, this security patch will remove it.
Background: This month’s patch has a heavy focus on network-centric vulnerabilities found in Qualcomm hardware, though many of those fixes are low-level. The critical and high-level fixes, in large part, revolve around stopping would-be hackers from gaining control of users’ Android devices through privilege escalation in malicious apps, or by executing arbitrary code remotely on compromised devices. A lot of the fixes on the Qualcomm side are for closed-source components, which normally means that Qualcomm developed the fixes itself and sent them on to Google for integration. None of the software-side fixes in this patch, curiously, go any further back than Android version 7.0 Nougat. This presumably means that Google is leaving Android 6.0 Marshmallow behind, which would make sense, since it was introduced back in 2015. Finally, the removal of Google’s own Libxaac is a bit of a blow to Android on the media front, a battle that the platform has traditionally lost to Apple. The creation of new Android-specific audio latency fixes and libraries has softened the blow, but this setback does not necessarily make Apple the OS vendor of choice for hardcore audiophiles, musicians and the like – Android has caught up in many regards, and the temporarily scrapped library would have simply further improved support for AAC-based media types.
Impact: Those still rocking Android devices running versions older than 6.0 Marshmallow won’t see any changes. Those on newer, covered Android versions can expect this patch to make their media framework much safer, taking some of the risk out of potentially malicious apps or other things that would get in through the media libraries. Loaded and compromised media files are a fairly common thing to find on the net, endangering those who would rather have their media on their device than stream it from an outside source. Additionally, any devices that use Qualcomm components will see many severe security holes patched up. As always, Pixel devices and newer Nexus devices can expect the patch to hit fairly soon over the air. Since this one contains a lot of low-level system fixes for Android in general and for Qualcomm hardware, it could take a while to reach carrier variants and heavily-skinned versions of Android from the likes of Samsung and LG.
November 2018 Security Update - Factory ImagesNovember 2018 Security Update - OTA Images