Android updates August 2022, corrected 37 vulnerabilities: we secure devices

The Android Security Bulletin of August 2022 contains security updates for 37 vulnerabilities: the most serious could lead to remote code execution over Bluetooth without the need for additional execution privileges. Here are the details and tips for updating devices

The August 2022 Android Security Bulletin has been released containing details of security vulnerabilities affecting Android devices: the patches published by Google in the cumulative update package fix 37 security issues.

Only one of the vulnerabilities fixed with the Android Security Bulletin of August 2022 was rated with a critical severity index: identified in the System component and tracked as CVE-2022-20345, it could lead to remote code execution over Bluetooth without the need of additional execution privileges.

As usual, the Android security bulletin updates have been split into two progressive patch levels identified as 2022-08-01 security patch level and 2022-08-05 security patch level.

Further details on the updates of the Android Security Bulletin of August 2022 are available on the dedicated page.

The vulnerabilities of the first security patch level

With the first patch package, identified as 2022-08-01 security patch level, 17 vulnerabilities have been fixed, grouped by the system component they affect.

Nine of these have been identified in the Framework module which, we recall, acts as an intermediate layer between the operating system and the software that uses it. All classified with a high severity index, there are five of the EoP (Elevation of Privilege) type and four of the ID (Information Disclosure) type.

The most severe vulnerability in this section could lead to local privilege escalation without the need for additional execution privileges: CVE-2021-39696, CVE-2022-20344, CVE-2022-20348, CVE-2022-20349, CVE -2022-20356, CVE-2022-20350, CVE-2022-20352, CVE-2022-20357, CVE-2022-20358.

Two other vulnerabilities, both of type ID and with a high severity index, were identified and fixed in the Media Framework component : CVE-2022-20346 and CVE-2022-20353. The most serious could lead to remote disclosure of information without the need for additional enforcement privileges.

On the other hand, there are six vulnerabilities identified in the System component: the most serious, traced as CVE-2022-20345 and classified with a critical severity index, could lead to remote code execution via Bluetooth without the need for additional execution privileges.

The other five vulnerabilities identified in this section, classified with a high severity index, are four of the EoP type and the last of the DoS type: CVE-2022-20347, CVE-2022-20354, CVE-2022-20360, CVE-2022 -20361, CVE-2022-20355.

In the first patch package of the Android Security Bulletin of August 2022 there is also an update for the Google Play System: tracked as CVE-2022-20228, it affects the Media Framework components.

The vulnerabilities of the second security patch level

On the other hand, 19 vulnerabilities were corrected when the Android Security Bulletin was released in August 2022 with the second patch package, identified as 2022-08-05 security patch level.

An Elevation of Privilege (EoP) vulnerability classified as high severity has been identified in Kernel components and tracked as CVE-2022-1786. If exploited, it could lead to local escalation of privileges with the need for execution privileges by the user.

Seven vulnerabilities in Imagination Technologies modules have been corrected (CVE-2021-0698, CVE-2021-0887, CVE-2021-0891, CVE-2021-0946, CVE-2021-0947, CVE-2021-39815, CVE-2022 -20122) that all affect the PowerVR-GPU component.

Technical details and vulnerability severity assessment are provided directly by Imagination Technologies in their respective security bulletin.

A vulnerability was fixed in MediaTek components: CVE-2022-20082. Again, the technical details and the assessment of the severity of the vulnerability are provided directly by MediaTek in their respective security bulletin.

Another vulnerability was fixed in Unisoc components: CVE-2022-20239. Unisoc itself provides the technical details and the assessment of the severity of the vulnerability in its security bulletin.

Finally, a vulnerability was fixed in Qualcomm components (CVE-2022-22080) and eight in Qualcomm closed-source components (CVE-2021-30259, CVE-2022-22059, CVE-2022-22061, CVE-2022-22062, CVE-2022-22067, CVE-2022-22069, CVE-2022-22070, CVE-2022-25668). Again, the technical details and assessment of the severity of the vulnerability are provided directly by Qualcomm in their respective security bulletins.

Here’s how to update Android devices

Google has already released all the Android security patches to its partners a month in advance of the publication of the security bulletin, publishing them in the Android Open Source Project (AOSP) repository.

At the moment there is no news of any exploitation of the new vulnerabilities in real attacks. This does not mean that all updates should be installed as soon as possible: some or all, depending on the device, can be applied automatically via Google Play services; others, however, may be sent to you in the form of an update by the operator or device manufacturer, and some may not be necessary.

Cheaper and less updated Android devices may never see updates.

In all cases, especially when the devices are used in a business and production environment, it is advisable to install a good security solution (even better if integrated into the possible Mobile Device Management client for remote and centralized control of the devices used for smart working) able to guarantee a high level of protection of data and confidential information stored in memory.

How long do you receive Android updates

Google’s update policies require devices to receive updates for the version of Android installed for at least three years from the date of introduction on the Google Store, while security updates will be guaranteed for three years from the date of introduction in the US version of the Google Store. .

As for the release speed, however, if the devices were purchased directly on the Google Store then the updates will arrive within a couple of weeks, while for models purchased from third-party retailers it may take longer, as indicated on the site Google support.

Catch up on more articles here

Follow us on Twitter here

Popular

Must read

MORE ON THIS TOPIC:

Related Posts