The February 2019 security bulletin for Android is now live, showcasing fixes included in this month’s updates and key patches at the system and manufacturer level. The 2018-02-01 security patch is already live in both full OTA and factory images for Google’s Pixel-branded handsets too. Changes in the 2018-02-05 security patch apply to devices from other OEMs and contain fixes for the kernel as well as NVIDIA, Qualcomm, and HTC specific components.
The first patch for this month squashes bugs in the media framework for the OS with just one additional patch for the system itself but each is a relatively important fix.
In the first of those categories, the patch fixes no fewer than five vulnerabilities rated at high severity and two that are critical. The system level patch is only ranked as a ‘moderate’ threat but the most prominent of each prevents a malicious actor from accessing privileged processes or running code ordinarily restricted to privileged processes.
Fixes in February’s second patch
Fixes arriving more directly on specific hardware will roll out with updates to each respective device but, as mentioned above, some of those apply to devices made by HTC or featuring NVIDIA components.
For both manufacturers, there are only two fixes with the 2018-02-05 patch. HTC devices will receive a patch that fixes high and moderate severity problems that could allow unauthorized access to data by malicious installed apps. NVIDIA’s patches fix media framework problems similar to those in the first of February’s security patches, each at a ‘high’ severity level.
Qualcomm has the most fixes rolling out, although these patches contain a relatively small number of patches needed compared to prior security updates. There are a total of nine high-level vulnerabilities and a single critical level vulnerability in the update. Most apply to WLAN components from Qualcomm with a few in the media framework as well. The most dangerous of those closes the gap to prevent remote attackers to execute malicious code in a privileged process.
Finally, three fixes are incoming at the kernel level, with a similar focus to that found in the Qualcomm patches and the 2018-02-01 update.
A staggered timeline
Fixes found in the latest bulletin from Google won’t be hitting every device at once and whether or not a handset or tablet sees the patches at all will vary between OEMs. Carrier-locked devices have an added step in the process since providers often make their own adjustments before pushing an over-the-air update.
The inconsistent timeline between manufacturers is something Google is looking to solve. One way it hopes to address the problem is by allowing manufacturers of individual components — where the most common vulnerabilities are present — to push their own updates to Android Devices. That could phase out monthly updates entirely but the search giant isn’t quite there yet and there’s no guarantee that will happen any time soon either.
Users of any of Google’s Pixel devices, including the Pixel C Android tablet, can flash the images to install the update either with a fresh install or with the stock over-the-air software manually, in the meantime. That can be accomplished using ADB and Fastboot with relative ease on computers running Windows, Linux, Mac or Chrome OS.
Pixel Device Factory Images - Google DevelopersPixel Device Full OTA Images- Google Developers