Google's Android security bulletin for December includes a number of flaws that vendors will need to patch.
Google is urging Android device makers to fix all the issues in its December security bulletin. Image: Getty Images
Google has published its Android security bulletin for December, warning of 47 bugs across the operating system.
Ten of the vulnerabilities are rated 'critical' in their potential impact, the most severe type of bug, while the other 37 are rated as 'high' priority.
Google said it had split the vulnerabilities into two patch levels in its alert, so that Android smartphone makers can fix a subset of vulnerabilities that are similar across all Android devices more quickly, should they want to.
But it warned: "Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level." It recommended that they bundle the fixes for all the issues they are addressing in a single update.
Google said among the most severe of these flaws is a critical security vulnerability in the media framework that could enable a remote attacker, using a specially crafted file, to execute arbitrary code within the context of a privileged process.
The first group of 19 vulnerabilities, 2017-12-01, also includes a flaw in the framework section, which could enable a local malicious application to bypass user interaction requirements to gain access to additional permissions. Under system, the worst bug could allow a "proximate attacker" to execute arbitrary code within the context of a privileged process.
The second group of 27 bugs, 2017-12-05, security patch level includes under kernel components a vulnerability that could allow local malicious applications to execute arbitrary code.
There are also vulnerabilities in MediaTek and Nvidia components that could let a local malicious app execute arbitrary code within the context of a privileged process. The bulletin also lists nine vulnerabilities in Qualcomm components and nine vulnerabilities in Qualcomm closed-source components.
These bugs won't come as a surprise to the makers of Android smartphones. Google's partners are notified of all issues at least a month before publication. Source-code patches for these issues will be released to the Android Open Source Project repository in the next 48 hours.
Google said exploiting issues on Android is made more difficult by features in newer versions of the Android platform: "We encourage all users to update to the latest version of Android where possible."
However, not all Android makers feel that updating old hardware to the newest version of Android is a particular priority, leaving many smartphones languishing on older and therefore less secure versions.