Critical vulnerabilities ranged from two remote code execution vulnerabilities tied to the Android media framework, to a Qualcomm Wi-Fi component flaw that allowed a nearby attacker to use “a specially crafted file to execute arbitrary code within the context of a privileged process.”
Google said firmware updates are available and will be delivered via over-the-air (OTA) updates to Google Pixel and Nexus devices. Updates to other Android devices will be sent via respective OEM device makers and wireless carriers, where applicable. For example, Samsung Mobile announced a maintenance release for its “major flagship models” that included eight Samsung patches being delivered OTA.
In all, Google’s April security update includes 28 fixes; nine rated critical and 19 rated high. Seven of the critical vulnerabilities were tied to the Android OS directly. Each Qualcomm and Broadcom component maker fixed a critical bug.
The Android operating system received the most attention, with Google fixing four remote code execution bugs and one critical elevation of privilege bug.
“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google wrote.
Common vulnerabilities and exposures (CVE) details of each of the bugs are not released until device makers have patched the affected systems.
Several Qualcomm components were patched as part of the April update, including chipset functions relating to Wi-Fi, binder, WLAN and audio drivers. A critical RCE Broadcom wireless bug (CVE-2017-13292) was also patched.
Google also released a separate April Pixel / Nexus Security Bulletin for its Pixel and Nexus devices that include the Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Nexus 5X, and Nexus 6P smartphones as well as the Pixel C tablet. Google said Android 8.1 Oreo factory images and OTAs are available for download.