When is a security update not a security update? Well, it’s a trick question, but the answer is – when it’s patching flaws in a version of an OS nobody beyond developers is yet running.
That OS is the all-new Android 10, which this week has started appearing on a tiny number of smartphones, complete with its first ever security patches.
Reading the September Security Bulletin, there are two specific to 10 – the first a remote code execution (RCE) marked ‘critical’ in the Media Framework (CVE-2019-2108), and the second an elevation of privileges (EoP) marked ‘high’ priority (CVE-2019-9254) affecting the Framework.
Of course, if you’re among the vast throng who don’t yet have Android 10 (or will need to buy a new device to get it), you’ll first see these when you download the new OS, in which case they’ll just be part of the first incarnation of the software.
That means Google is officially patching security flaws before users have their hands on the software containing the vulnerabilities being fixed.
For everyone else, this month sees fixes for a routine collection of woes. The advisory mentions a single critical flaw affecting Android 8.x and 9.x, plus another 12 marked high priority affecting different mixes of versions between 7.x, 8.x and 9.x.
In addition, there are three high priority fixes for Nvidia components in devices using them (including one affecting ARM Trusted Firmware) plus 17 CVE-level flaws marked high affecting Qualcomm.
Qualcomm’s closed-source components add a final tranche of 14 flaws, two described as critical.
Android 10 updating
Of course, it can take a long time for monthly Android fixes to reach devices – anything from days for Google Pixels, to months for everything else.
On a positive note, Android 10 implements Project Mainline, an initiative through which at least some urgent security fixes in the Google-specific bits of Android can be applied as simple updates delivered from the Play Store (see our earlier coverage for details on which components will be part of this initiative).
It’s good timing because there is evidence that the commercial market for flaws in Android is experiencing a dangerous spot of price inflation.
‘Commercial market’ refers to the price that independent companies are willing to pay for researchers to tell them about exploitable flaws in software such as Android, Windows, iOS or macOS.
One such enterprise is Zerodium, which this week released a new price list attaching a bug bounty of up to $2.5 million for the best zero-day (unknown, unpatched) flaws.
That’s a big increase for Android zero-days from a year ago, beating the $2 million offered for equivalent vulnerabilities affecting iOS.
Even if (as some suspect), this is mostly clever marketing by Zerodium, it serves to remind us that not every serious flaw discovered by researchers gets sent to vendors to rustle up a fix.
Who exactly gets their hands on the flaws bought up by specialist companies is anyone’s guess but it’s likely that customer lists include governments and law enforcement.