Unbeknown to most users, devices running supported versions of Android are supposed to get small amounts of new software every month, mostly security updates.
Unfortunately, as we pointed out in May, when and whether that happens is a matter of whim for each device’s manufacturer.
Updates for Google’s Pixel smartphones will arrive sometime this week – covering functional issues as well as security patches.
But if your device is made by another vendor, June’s Android patches could turn up any time from next month to some point later this year.
Given that June’s two patch levels (2019-06-01 and 2019-06-05) comprise only 13 CVEs plus another 9 from Qualcomm, this might not sound like that big a loss.
But if the same device is also missing previous updates, as many will be, the number of missing patches rises to dozens.
Amplifying the update confusion is Android’s version fragmentation, which gave Apple CEO Tim Cook cause to gloat when he mentioned at this week’s WWDC 2019 conference that the newest version of Android is still only running on 10% of Google’s mobile devices compared to 85% of iPhones running the latest iOS.
Despite the modest vulnerability count, the fact that 8 are marked ‘critical’ and 14 ‘high’ is good enough reason to want them as soon as possible, with 2 of the criticals (CVE-2019-2094 and CVE-2019-2095) affecting only version 9.
Seven are elevation of privilege (EoP), four are remote code execution (RCE), leaving the remaining flaws without designation.
By policy, Google doesn’t furnish much detail on individual flaws, but does mention that the most serious of this month’s vulnerabilities is in media framework which might allow:
A remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
Meanwhile, CVE-2019-2097 in the Android system could:
Enable a remote attacker using a specially crafted PAC file to execute arbitrary code within the context of a privileged process.
Luckily, the advisory continues, Google has had no reports that any of the serious flaws are being exploited.
What to do
Anyone looking to understand the difference between Android’s two patching levels should read the explanation we offered as part of April’s Android patch coverage.
Individual vendors often publish their own advisories that often offer clearer information than Google’s official Android updates. For instance, here are the June 2019 updates for Samsung, Nokia, Motorola, LG, and Huawei.