Android patch day: Updates plug two security vulnerabilities under attack
The Android patch day in November brings updates that, among other things, seal two security leaks that have already been attacked.
Security vulnerabilities threaten Android smartphones.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Google has now released the Android updates for the November Patchday. Patch level 2024-11-01 closes a total of 17 high-risk gaps, plus four vulnerabilities that Google Play system updates correct. Patch level 2024-11-05 also fixes a critical vulnerability in Qualcomm closed-source components and 22 high-risk vulnerabilities in third-party drivers and components from the manufacturers of the SoCs used.
The developers at Google write in the security bulletin for the patchday that the most serious vulnerability closed with the updates lurks in the system component. It has a high risk and can allow attackers to execute code from the network without additional execution rights. It belongs to patch level 2024-11-01, in which Google also closes seven vulnerabilities in the framework, some of which affect all Android versions: 12, 12L, 13, 14 and 15. The programmers also plugged a total of ten leaks in the system component. The four loopholes that the Google Play system updates fix belong to the Project Mainline components and affect the Documents UI, Media Provider, Permission Controller and WiFi modules.
Extended patch level
The patch level 2024-11-05 corrects further security-relevant errors. Two high-risk leaks are in the kernel and affect the Net and Binder components. The LTS kernel, which is part of Android 12, has also been updated to versions 5.4.274 and 4.19.312 respectively. The new software also fixes security vulnerabilities in the PowerVR GPUs from Imagination Technologies as well as in Mediatek and Qualcomm components.
Videos by heise
The manufacturers of the processors and SoCs used in Android smartphones have also published their own security notifications. Qualcomm, for example, lists the security vulnerabilities that will be closed with patch level 2024-11-05, but adds further information such as affected processors. Samsung lists a longer series of CVE vulnerability entries that the Security Maintenance Release (SMR) will correct in November. In addition, Mediatek has compiled a list of vulnerabilities that will be closed in November – of which only two are classified as high risk, while many are classified as medium risk.
It is not possible to say when the updates will arrive on the individual smartphones. As a rule, the manufacturers' flagship models still receive monthly security updates in the first few months, with Google leading the list of exemplary update suppliers. After a while, Samsung, for example, only provides quarterly updates – Whether this will change with the seven-year update promise for newer models remains to be seen. However, no-name providers in particular are only putting cheap smartphones on the market and buyers cannot expect an update for them.
However, the November updates for Google's Pixel smartphones are not yet available at the time of reporting.
On the October patch day, Google fixed vulnerabilities in the Android system component, among other things, which enabled code smuggling from the network.
(dmk)
