Sophos Cloud Optix
Depending on when users receive it, this week’s Android July 2019 patch update will fix 33 security vulnerabilities, including 9 marked critical, and 24 marked high.
If you own a Google Pixel device, that will be within a day or two, leaving everybody else on the 2019-07-01 and 2019-07-05 patch levels (what these dates mean is explained here) running Android 7, 8 or 9 to wait anything from weeks to months to catch up.
As usual, July’s batch of fixes covers flaws in significant parts of Android, including system, framework, library, and Qualcomm’s numerous components, including closed-source software.
However, as has been the case for some months, it’s the media framework that provides a disproportionate amount of the patching action in the form of three remote code execution (RCE) bugs marked critical.
These are CVE-2019-2107, CVE-2019-2106 (affecting Android 7 and 8), and CVE-2019-2109 (which only affects Android 9).
Another RCE critical is CVE-2019-2111 in the Android system, with the remaining critical flaws all connected to Qualcomm’s closed-source components.
In contrast to Microsoft’s Patch Tuesday, Google rarely offers much detail on individual flaws during the initial patch release, restricting itself to the following generalisation:
The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
Google is able to be this vague primarily because:
We have had no reports of active customer exploitation or abuse of these newly reported issues.
Anyone interested in knowing a bit more about these should check the flaw CVEs on the US National Vulnerability Database (NVD) in a week or two when more information is added on each vulnerability.
Alternatively, vendors publish their own advisories which often feature more device-specific information – see the July 2019 update advisories for Samsung, Nokia, Motorola, LG, and Huawei.
Huawei
If you own a Huawei device, these should receive this month’s update without issue. As for updates after August’s, the company is due to make an announcement soon (users can find more information on Huawei’s website).
Depending on the version of Android, a device’s patch level (2019-07-01 or 2019-07-05) can be determined in Settings > About phone > Android security patch level. For Android 9 it’s Settings > System > Advanced > System updates.
I’d love to update my Android OS. Unfortunately after just one update, my cellphone manufacturer stopped releasing patches for the OS. I’m not buying a new phone just to get the latest Android release. In fact, when I manage to break this phone, I will replace it with a dumb phone just to get away from all the aggravation of being tracked and to get off the “buy a new phone to get the latest & greatest” treadmill.
Can you unlock the firmware? Is your device supported by one of the alternative distros such as LineageOS [q.v.]? If so you can dump Google Android and switch to a variant that is still supported (and doesn’t have any vendor bloatware). Bit of a science project but it’s not that hard, and if possible it’s well worth a try.
Unlocking the firmware to put LineageOS won’t patch baseband flaws/backdoors (Qualcomm or else). So it’s not exactly a solution although still better than not being patched at all.
Sometimes (often?) it’s not Google, or the Android open-source project, or Qualcomm etc. who aren’t providing patches, it’s the vendor or the mobile carrier who sold you the phone package that stops publishing updates, both over the air and via full firmware downloads, even though all the raw materials for those updates are available.
You might have identical hardware to phones that *are* getting patches and yet be out in the cold… if so, alternative firmware versions may well include the needed updates.
This is my case — I’m even on Google Fi runing an Android One device, but the manufacturer apparently sees fit to keep us 2 months behind in patches…
I did the third-party firmware route before and ran into two issues:
1. How well do I trust the ROM maker? How well do I trust that the distributor (download site) did not modify the ROM?
2. After changing ROMs, I received no OTA updates. My only update method seemed to be wipe/re-flash the ROM every few months, losing all my stored settings, text messages etc. each time.
LineageOS does have autoupdates and comes from a pretty well-established community.
But alternative firmware versions for non-maintream phone models or weird phone/vendor/carrier combinations do indeed come from “some enthusiatic person out there” and how to trust the person who cooked that ROM version is indeed a tricky question to answer. Even if they are honest and have no intention of hacking you…how do you trust the file download site they’ve chosen to use, and so forth.
Sadly, as you say, using alternative firmware is a bit of a jump int the unknown and the motto caveat emptor is about the best advice I can offer. My own experiences with LineageOS have all been good, but I haven’t tried it on many devices, and I generally use my Lineaged devices for very little except pseudoanonymous browsing with DuckDuckGo (in other words I never login to services such as webmail or social media – just use my old-but-revived devices to kill time on the train or to listen to free music at tbe airport).
IMO phones you purchase outright should be legislated to have the bootloader unlocked and Google should step up to the plate and offer generic (easy to install) updates just like Microsoft (for windows) for all phones with the hardware capable of running a specific version of Android.
Yes, my bootrloader is locked.
Have you looked around forums like XDA to see if the bootloader can be unlocked in some device-specific way? Some vendors ship their products locked but nevertheless provide an official (if not exactly freely documented) way to unlock the bootloader so that developers can do it on purpose but regular users won’t do it by mistake.
For example, I bought a Nokia One for research use. It ships locked and there is no menu option to unlock it, but there is a by-design
fastbootcommand to do so. You need to retrieve the serial number of the device and then upload its MD5 hash. After that you canfastboot oem unlockit and reflash the firmware “at own risk”.It’s worth digging around a bit to see if there’s a known process for your phone. (Apologies if you have already tried all that.)
After the update my phone won’t show some photos on apps like FB, FB Messenger and IG. What’s the deal? Before the update I had zero issues I’ve cleared my cache and temp files to no avail.
As of the date of your post, Facebook properties including WhatsApp and IG experienced a worldwide server outage that resulted in the exact behavior you describe. This should have resolved itself the next day (it did on my Android phone), so unless you are continuing to see this issue, I wouldn’t worry about your Android update.
Same Here!!! I went to my photos last after I installed this last night, and there were 4 months of pictures missing. Plus I cannot answer my phone. when I try to, it shuts off. Voice to text is working sporaidically. Etc.
Paul,
I only understood what you were talking about (fastboot / MD5 Hash) because I have rooted my phones and explored installing a ROM. Most of the phone users I know amaze me that they can figure out how to turn it on let along go digging around the OS partitions. I still maintain, that all of this is much too complicated for most people. If the vendor or the service provider is no longer going to be offering OS updates, there needs to be a way to address this that is actually do-able by most users for as long as their phone can run the currently offered version of the OS.
The only people who update their phones after OTA vendor support ends, are those who deep dive on XDA while eating breakfast or those who wish they could somehow embed their phone in their head so that they can have two free hands to type. 🙂
I can understand wy vendors don’t want to make it trivial to unlock the bootloader, but I agree that a standardised way to do it (even if it needs a fastboot-like tool to be used) would be nice.
Mnd you, every vendor seems to have a different way of getting to the jolly bootloader menu in the first place, sometimes involving a multi-keypress “N finger salute” that requires both dexterity and determination in equal measure. So perhaps hoping for OEM-unlock standards is beyond even wishful thinking…
Can I uninstall this without any issues? I installed it last night. Since then, when someone calls me and I try to answer, my phone shuts down. It has happened 4 times today. I hit the answer button and my phone just shuts off. My voice to text only works sporadically. The system is now extremely slow. It keeps disconnecting from WiFi and then it does NOT automatically connect to mobile data, even though I have it set to do so. That is all I have found so far.
Also, Some of my photos are now missing. I was trying to find a pic from May 2017, and all pictures from January 14 until August 1 are missing. I know these were there because I was looking at them 3 days ago. I just want to know if it is safe to uninstall. I don’t want to have more issues by uninstalling it.