Google issued a new Android Security Bulletin and it includes a whopping 47 updates, ten of them for flaws that are rated as critical. New firmware for Nexus and Pixel devices should be available today, everyone with a different Android-based device will have to wait until, or if, vendors distribute the patches.
Five of the critical bugs affect the media framework, while another four impact Qualcomm components. One of the critical system level bugs makes it possible for a nearby attacker to execute arbitrary code, presumably via WiFi, the cellular modem, or Bluetooth.
Besides the ten critical bugs, there are 37 bugs rated as "high" severity. Not all bugs affect all devices, some of them are for specific versions of Android or certain hardware configurations.
Among the critical bugs in the Android Security Bulletin, five concern the media framework, one is system-level, four hit Qualcomm components. The worst, Google said, is one of the media framework bugs, not yet fully disclosed, but it “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process”.
Two of the media framework bugs only affect Android 6.0 (31 per cent of active devices), one affects only Android 8.0 (0.3 per cent), one affects all versions between 7.0 and 8.0 (20.9 per cent), and the most widespread is in all version after 6.0 (nearly 52 per cent of devices).