Remote code execution flaw in Android – update now if you can

Android’s December security bulletin arrived this week with another sizable crop of vulnerabilities to add to the patching list for devices running version 7.0 Nougat to version 9.0 Pie, including Google Pixel users.

Overall, December sees a total of 53 separate flaws and 21 assigned CVE numbers. (Qualcomm components add another 32 CVEs in mainly closed-source components.)

If there’s a theme this month, it’s probably remote code execution (RCE), which accounts for five of the 11 critical flaws listed, plus one flaw marked high.

Four of these were discovered in the Media Framework with another two in the core system, which could, in Google’s words:

Enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

This means that an attacker exploiting the flaws could remotely take over a vulnerable Android device – for example by sending you a booby-trapped image or talking you into clicking on a this-is-not-the-video-you-wanted-to-watch link.

Fortunately, according to Google, none of the listed flaws is being exploited in the wild.