Android November update fixes flaws galore

Studying Android’s November security bulletin, you’ll notice that there’s a fair amount to patch.

In total, there are 36 vulnerabilities assigned a CVE, and another 17 relating to Qualcomm components rather than Android itself.

Within Android, four rated are critical and 13 rated as high. If there’s a standout it might be CVE-2018-9527, simply because it’s a Remote Code Execution (RCE) vulnerability affecting all versions of from Android 7.0 (Nougat) onwards.

The other RCEs are CVE-2018-9531 and CVE-2018-9521, although both relate to version 9.0 (Pie), which mainly affects devices released since the summer.

CVE-2018-9531 turns out to be one of a clutch of CVEs arising from the Libxaac library, which Google says has been marked “experimental” and “and is no longer included in any production Android builds.”

Leaving aside the extra flaws added to the mix this month by Qualcomm, November looks very similar to every other month this year – plenty of fixes, exactly what one might expect.

The complicated bit

However, this being Android, things are never that simple because when these patches appear on your device – indeed whether they appear at all – will depend on several factors.

One factor is that November’s patches are for Android versions 7.0 and later: devices that either shipped with this after August 2016 or were upgraded later from an earlier version.

In other words, if your device runs Android 6.x, the three years Google commits to support that device with security updates ended in September and now you’re on your own.

Another factor is how quickly the device maker or mobile network gets around to making the November update available to customers.

To speed things up from the glacial patching of the past, in 2017 Google initiated something called Project Treble that allowed vendors to apply security patches without having to refresh the entire OS.

Unfortunately, vendors other than Google can take anything from one to several months to apply these, while it’s even been claimed that some simply lie about the patch version.

It’s possible the delay has something to do with the difference between Android’s Framework updates (the one managed by Google itself, increasingly through its own firmware over-the-air servers) and those relating to the components that are part of the vendor’s hardware and software for each device.

To that end, Android’s monthly updates work on two patch levels, one identified by the first day of the month (i.e. 1 November), and one by the fifth of the month (5 November).

If your phone mentions the fifth of the month (Settings > About Phone >scroll down to Android Patch Level) that means you have both the Framework updates and the vendor updates up to and including the current month.

If, however, it you see the first day of the month, that means you have the Framework updates for that month but the vendor-specific updates only up to the previous month (we told you it was a bit complicated).

Unlike Apple with its small family of devices designed by itself, Android devices are made by numerous vendors, each of which has different models running different versions of Android.

For now, the dream of every Android device getting a guaranteed monthly update for security vulnerabilities is getting nearer whilst appearing frustratingly just out of reach.