Google patches four critical Remote Code Execution vulnerabilities in Android July 2019 security patch

• The most critical of these RCE security flaws is a vulnerability in the Media framework that could allow an attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
• According to the July 2019 Android Security Bulletin, there were no reports of active exploitation or abuse of these vulnerabilities.

Google in the Android Open Source Project (AOSP) patched three critical remote code execution vulnerabilities in the Media framework and another RCE flaw in the Android system as a part of its July 2019 security patch.

The July 2019 patch also fixed 33 other vulnerabilities in the Android system, framework, library, media framework, Qualcomm components, and Qualcomm closed-source components.

Four RCE vulnerabilities

The most critical of these RCE security flaws is a vulnerability in the Media framework that could allow an attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

• The RCE vulnerabilities (CVE-2019-2106, CVE-2019-2107, and CVE-2019-2109) in the Media Framework impact AOSP versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9.
• On the other hand, the RCE vulnerability in the Android system impacts only the AOSP version 9.0.

According to the July 2019 Android Security Bulletin, there were no reports of active exploitation or abuse of these vulnerabilities.

Two privilege escalation flaws

Two privilege escalation flaws in the Android system were patched in the July 2019 security patch.

• The first EoP flaw tracked as CVE-2019-2112 in the Android system impacts AOSP versions 8.0, 8.1, and 9.
• The second EoP flaw tracked as CVE-2019-2113 impacts only the AOSP version 9.0.

Other security flaws

The other 31 vulnerabilities patched in this security update include information disclosure impacting the Android system, framework, library, media framework, Qualcomm components, and Qualcomm closed-source components.

“Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin,” the security bulletin read.