September 2018 security patches are here for the Pixel line

By | 4th September 2018

Fixing the latest bugs and exploits in Android every month.

Google has detailed the latest Android Security Bulletin and released the fixes for Nexus and Pixel devices.

These are exploits and other security concerns that affect Android as a whole. Issues with the operating system, kernel patches, and driver updates may not affect any particular device, but these need to be fixed in the Android base by the folks maintaining the operating system code. That means Google, and they've detailed the things they have improved for this month.

Updated factory images for Pixel and Nexus devices that are supported are available, and over-the-air updates are rolling out to users. If you don't want to wait, you can download and flash the factory image or OTA update file manually, and here are some handy instructions to get you started.

How to manually update your Nexus or Pixel

The company that made your phone uses these patches to send an update out to you.

These changes have been released to the people making Android phones for at least 30 days, but Google can't force anyone to deliver them to you. If you're using a phone from Samsung, LG, or anyone besides Google, you'll need to wait for them to send an update and shouldn't try to flash any of the above files.

Of course, Google has safety checks in place to prevent any problems on your phone because of any security exploits. Verify Apps and SafetyNet are at work anytime you add an app to your phone, and seamless updates to Google Play Services will keep them up to date regardless of any hold up from a manufacturer or carrier. Details and incident numbers can be found in the yearly Android Security Review (.pdf file).

Highlights for September 2018

September 2018's update comes with two patch dates: 09/01/2018 and 09/05/2018.

  • Several patches mitigate an exploit that could allow a malicious app to read protected data is installed.
  • Qualcomm has patched several critical and high priority issues in its closed-source components.
  • Google also patched Pixel 2-specific issues to improve charging and car audio. Details can be seen here.

Previous bulletin highlights

Here are summaries and highlights of recent patches from the monthly Android Security Bulletin. As with the current bulletin, these issues were also mitigated by Google's Verify Apps, Safety Net, and seamless updates to Google Play Services.

Highlights for August 2018

August 2018's update comes with two patch dates: 08/01/2018 and 08/05/2018.

  • The bulk of the fixes in April are patches to the Android runtime, Android framework, and media framework parts of the OS to prevent remote attackers from using specialized code to initiate attacks.
  • Android hardware vendors are doing their part, too and we see new fixes from NVIDIA and Qualcomm that will make our gear safer.
  • Google also patched several Pixel-specific issues. These can be seen here.

Highlights for June 2018

June 2018's update comes with two patch dates: 06/01/2018 and 06/05/2018.

  • Once again the Android Media Framework sees patches to prevent the latest exploits from gaining elevated privileges, as does the Application Framework.
  • LG, Qualcomm, MediaTek, and NVIDIA all provide important fixes for their assorted binaries across all devices, and critical issues with the bootloader were patched by Qualcomm and LG.
  • Google also patched a number of Nexus and Pixel-specific issues in this month's bulletin as well as made usability tweaks for those devices. Those can be seen here.

Highlights for May 2018

May 2018's update comes with two patch dates: 05/01/2018 and 05/05/2018.

  • The most severe issues addressed are in the Android runtime and Media framework, and would allow a remote user to gain elevated privileges if not fixed.
  • Qualcomm and NVIDIA both provide important fixes for their assorted binaries across all devices, and Qualcomm has addressed a critical bug in the WLAN driver of their chips.
  • Google also patched a number of Nexus and Pixel-specific issues in this month's bulletin, which can be seen here.

Highlights for April 2018

April 2018's update comes with two patch dates: 04/01/2018 and 04/05/2018.

  • As with other months, the bulk of the fixes in April are patches to the Android runtime, Android framework, and media framework parts of the OS to prevent remote attackers from using specialized code to initiate attacks.
  • Google specifically calls out Qualcomm in this month's bulletin for "their dedicated efforts to improve the security of mobile devices." This is a result of Qualcomm's inclusion of all patches sent upstream to Android (both closed and open source) between 2014 and 2016, which are now part of the public record.
  • Google also patched a number of Nexus and Pixel-specific issues in this month's bulletin, which can be seen here.

Highlights for March 2018

March 2018's update comes with two patch dates: 03/01/2018, and 03/05/2018.

  • The most severe vulnerabilities addressed in this month's patch are again tied to the media framework and an attacker's ability to run arbitrary code using a specially crafted media file. This has been and always will be an issue for all operating systems until a better way to package up media files is invented.
  • This patch also includes patches made to the upstream Linux kernel to address vulnerable issues in the USB driver
  • As usual, Android hardware vendors are doing their part, too and we see new fixes from NVIDIA and Qualcomm that will make our gear safer.

If you get an update with a patch date of 03/05/2018, you also have every issue addressed by the 03/01/2018 update in place.

Highlights for February 2018

February 2018's update comes with two patch dates: 02/01/2018, and 02/05/2018.

  • The most severe vulnerability addressed in this month's small patch is once again tied to the media framework and an attacker's ability to run arbitrary code using a specially crafted media file.
  • A second fix in the 02/01 patch blocks a malicious app from escalating its privileges or running code as a privileged user.
  • The 02/05 update entails device-specific patches from HTC, NVIDIA, Qualcomm and the Linux Kernel maintainers to address issues in the Bootloader, Wi-Fi driver(s), and media framework.

If you get an update with a patch date of 02/05/2018, you also have every issue addressed by the 02/01/2018 update in place.

Highlights for January 2018

January 2018's update comes with two patch dates: 01/01/2018, and 01/05/2018.

  • January 2018's most severe vulnerability addressed is a patch for the Android runtime that could let an attacker gain access to certain OS features without user interaction
  • Vulnerabilities that allowed code execution through the Media Framework were patched, like every month.
  • A vulnerability specific to the LG bootloader that allowed elevated privileges was patched. Life's Good, once again.
  • A vulnerability specific to the NVIDIA driver that allowed elevated privileges was found and fixed
  • Qualcomm provided a handful of closed-source fixes in addition to patches for the display driver and bootloader

If you get an update with a patch date of 01/05/2018, you also have every issue addressed by the 01/01/2018 update in place.

Highlights for December 2017

December 2017's update comes with two patch dates: 12/01/2017, and 12/05/2017.

  • If your device didn't get updated with the November 6 patch last month, December's update also comes with a fix for the KRACK WPA2 Wi-Fi vulnerability.
  • A vulnerability with Android's framework that allowed malicious apps to get past user interactions requirements to access greater permissions has been squashed.
  • The media framework has also been updated to patch a threat that allowed a remote attacker to send out an arbitrary code to your device.
  • Components for numerous MediaTek, NVIDIA, and Qualcomm components have been updated with security fixes.

If you get an update with a patch date of 12/05/2017, you also have every issue addressed by the 12/01/2017 update in place.

Highlights for November 2017

November 2017's update comes with three patch dates: 11/01/2017, 11/05/2017 and 11/06/2017.

  • This month's patch updates the network stack to patch the KRACK Wi-Fi exploit.
  • The Android framework has once again been patched to prevent an exploit that bypass user interaction requirements in order to gain access to additional permissions.
  • The media framework and the Android system itself were again patched to combat the ever-present attacks through media containers. This has been a monthly thing for over a year and will certainly continue.
  • Critical updates were applied as far back as Android 5.02 for OEMs to use to patch their existing devices if they wish.
  • Broadcom, MediaTek, NVIDIA, and Qualcomm have each patched a number of drivers that could potentially allow remote attackers to execute code.

If you get an update with a patch date of 10/05/2017, you also have every issue addressed by the 10/01/2017 update in place. Devices that receive a patch with the 11/06/2017 date have all the November fixes in place as well as all previous patches. This is something new and we're hopeful that it continues.

Highlights for October 2017

October 2017's update comes with two patch dates: 10/01/2017 and 10/05/2017.

  • This month's patch updates several critical components to prevent privileged code execution, both locally and remote.
  • The Android framework has been patched to prevent an exploit that bypass user interaction requirements in order to gain access to additional permissions.
  • The media framework and the Android system itself were patched to prevent execute arbitrary code within the context of a privileged process.
  • Critical updates were applied as far back as Android 4.4
  • Broadcom, MediaTek, and Qualcomm have each patched a number of drivers that could potentially allow remote attackers to execute code.

If you get an update with a patch date of 10/05/2017, you also have every issue addressed by the 10/01/2017 update in place.

Highlights for September 2017

September 2017's update comes with two patch dates: 09/01/2017 and 09/05/2017.

  • The main issue this month revolves, once again, around a vulnerability in the media framework that, when paired with exploitative code, could remotely execute malware on a user's device.
  • Some of these patches go back to Android 4.4 KitKat.
  • A runtime bug has been patched that would allow a remote user to execute code that could cause an app to hang.
  • Broadcom has once again issued a number of patches for its Wi-Fi drivers.
  • MediaTek and Qualcomm have each patched a number of drivers that could potentially allow remote attackers to execute code.

If you get an update with a patch date of 09/05/2017, you also have every issue addressed by the 09/01/2017 update in place.

Highlights for August 2017

August 2017's update comes with two patch dates: 08/01/2017 and 08/05/2017.

  • A moderate issue in the Android runtime that could enable privileged code execution has been patched.
  • Again we see numerous issues that could allow remote code execution through the media libraries patched, with some changes going back to Android 4.4.
  • Qualcomm has patched numerous escalation of privilege issues in the Snapdragon platform. These include moderate vulnerability patches for video, the GPU, and USB input/output. Since these include closed source changes, new versions are available from Qualcomm for your device manufacturer to implement as needed.
  • MediaTek and Broadcom have also supplied patched device drivers for a range of issues rated from low to moderate. Any of these binaries that are applicable to Nexus or Pixel devices are available at the Google Developer site.

If you get an update with a patch date of 08/05/2017, you also have every issue addressed by the 08/01/2017 update in place.

Archives of all previous Android Security Bulletins are available at the Android Security website.

See the Android Security website for details on all bulletins

Updated September 2018: Google has detailed the latest Android Security Bulletin and released July 2018 security updates for Pixel devices.