Google has posted its March Security Bulletin for Android as well as its update bulletin for Pixel devices, pointing to a plethora of vulnerability and bug fixes for devices on its operating system. As always, the patch is released in three levels, with two released for Android and OEM or component-specific fixes and a third for Pixel-branded handsets.
For Google Pixel 3 and Pixel 3 XL users, this month’s patches should prove to be particularly impactful given the number of issues that have been reported with the search giant’s in-house devices over the past several months. That’s because there are no fewer than five patches included in the incoming update and at least a few of those should apply to the more prominent issues still remaining after the past few updates.
The first of those addresses startup and responsiveness issues in the Camera app found on both flagships while two further patches improve performance — specifically in terms of recovery when an OTA update fails and in relation to storage. Yet another update is included to make Bluetooth connections more reliable and the final update improves playback of encrypted media in video apps where playback was causing trouble prior to the fix.
What about Android in general?
Users on other handsets will be seeing a wealth of security patches with the newest update too, beginning at the 2019-03-01 security patch level. That all starts with five elevation-of-privileges problems in the Android framework, three more in the media framework, and a further nine at the system level. All but one of those — found in the media framework, noted as a “moderate” severity issue — is marked as “high” severity in terms of risk presented.
Seven ‘information disclosure’ vulnerabilities are being fixed up at the system level too, in addition to one more in the framework. All of those are rated as a high-severity problem. Finally, three remote code execution issues — representing one critical soft point at the system level and two in the media framework — are being patched up too.
In the 2019-03-05 security patch level update, there are far fewer fixes being implemented but a significant number of those are specific to Qualcomm components and noted as being critical problems. Of eight critical fixes in total, four are in Qualcomm components including the DSP_Services component and EcoSystem component while four more are in closed-source Qualcomm components left unspecified. A high-severity issue is being patched in both the “WIN NSS Host” and Video components, while four more patches at that level are being fixed in closed-source components.
All of the more general Android fixes in the second patch for March are rated at high severity and each addresses an elevation of privileges problem. One of those is for Android 8.0 Oreo and newer at the system level. The remaining three fixes apply at the kernel level and address potential problems in the filesystem and drivers.
There really is no timeline …for now
Google has been working for quite some time now to bring about changes in how its third-party OEM partners address software and firmware updates. Primarily, those efforts have been put forward in policy changes that are meant to ensure timely updates are provided within a set period of time from the release of new patches.
Reports have indicated that OEMs need to adhere to those standards in order to meet certification guidelines for Android and the goal is obviously to fix any vulnerabilities that might be present on a given handset before they create problems for the manufacturer or Google. The search giant has also put forward concepts that could see updates removed from manufacturers’ hands and placed in control of component makers directly, although those plans have yet to come to fruition.
None of that means that any of these patches will arrive any time soon though since OEMs are still ultimately in control of when updates roll out.