Critical Android 12 bug fixed in February security patches • The Register
The February edition of Google’s monthly Android security update addresses, among other vulnerabilities, a critical, eyebrow-raising flaw in Android 12.
This bug, CVE-2021-39675, is present in the system component of the mobile operating system and can be abused to achieve remote elevation of privilege without the user needing to do anything, and “without any additional execution privileges needed”, as Google put it cryptically.
The web giant didn’t reveal much more information about the vulnerability, although it did point to a source-level change in Android’s wireless NFC code that brings additional verification to bear on the matter. ensure that a size parameter is not too large. Now you can imagine how this is a “remote privilege escalation” bug that requires no user interaction to exploit.
Presumably, Google doesn’t want to go into too much detail at this point as it is in the process of rolling out its fixes.
This February batch of security patches marks the last official update for Google Pixel 3 Smartphones, which launched in October 2018, which is like a century ago for the internet goliath. As this documentation states, the Pixel 3 and Pixel 3 XL “will no longer receive Android version updates and security updates.”
The Pixel 3 line received a small update in January to fix the Microsoft Teams emergency call issue. As widely reported, however, this month’s security pack is Google’s latest software update for handhelds.
In addition to CVE-2021-39675, there are five Google-patched high-severity vulnerabilities in the system component, ranging from elevation of privilege flaws in Android 11 and 12 to denial of service in Android 10 and 11.
There are also five very serious flaws in Android’s Framework component, which can apparently be exploited by malicious apps to gain elevated privileges. These bugs have links to source-level fixes that go into more detail. Then there are four very serious vulnerabilities in Media Framework and two MediaProvider programming errors fixed via Google Play system updates.
These flaws are fixed in update bundle 2022-02-01. There is a separate set of patches, dated 2022-02-05, which closes a very serious hole in System; a high-gravity hole in Amlogic’s Fastboot component; five high-severity bugs in MediaTek code; three in Unisoc code; and 10 high severity and one critical in Qualcomm code. Your device will only need these hardware-specific fixes if it has the correct chipset.
Four additional bugs have been fixed for Pixel handsets only: two high-severity issues with the devices’ camera and battery functions, and two moderate-level issues involving kernel-level Qualcomm code.
Google Pixel phone owners will be among the first, if not the first, to be offered these updates to download and install, and other phone makers will hopefully follow soon after. Android’s patch landscape is a bit non-trivial, although there are efforts to streamline it.
Basically, check for system updates and install them once they are available, if they haven’t already pushed to your gadget. Source-level fixes for these security vulnerabilities have been released on the Android Open Source Project.
By the way, there are many alternative versions of Android, including LineageOS, which supports hundreds of devices, and its commercial variant /e/OS, which we’ve already reviewed, but even the 249 devices that he mounts are only a small part of the vast wealth of equipment available.
Most other downstream Android variants support far fewer models: GrapheneOS, the successor to the older Copperhead OS, only supports a dozen Pixel models, as does CalyxOS. ®