Google has published its Android security bulletin for December, warning of 47 bugs across the operating system. Ten of the vulnerabilities are rated ‘critical’ in their potential impact, the most severe type of bug, while the other 37 are rated as ‘high’ priority.
Google said it had split the vulnerabilities into two patch levels in its alert, so that Android smartphone makers can fix a subset of vulnerabilities that are similar across all Android devices more quickly, should they want to.
But it warned: “Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.” It recommended that they bundle the fixes for all the issues they are addressing in a single update.
Google said among the most severe of these flaws is a critical security vulnerability in the media framework that could enable a remote attacker, using a specially crafted file, to execute arbitrary code within the context of a privileged process.
These bugs won’t come as a surprise to the makers of Android smartphones. Google’s partners are notified of all issues at least a month before publication. Source-code patches for these issues will be released to the Android Open Source Project repository in the next 48 hours.
Google said exploiting issues on Android is made more difficult by features in newer versions of the Android platform: “We encourage all users to update to the latest version of Android where possible.”
However, not all Android makers feel that updating old hardware to the newest version of Android is a particular priority, leaving many smartphones languishing on older and therefore less secure versions.
Submitted by: Arnfried Walbrecht