The monthly security bulletin for April 2021 announces the correction of 36 security vulnerabilities in Android. The patch is coming.
With the regularity of a metronome, Google shared in early April the new monthly security bulletin for Android. The American company presents there the multiple vulnerabilities identified recently in its mobile operating system and which will be corrected with the upcoming release of an ad hoc patch. A total of 36 vulnerabilities will be addressed with this update.
People using an Android smartphone should be ready to download and install the patch as soon as it becomes available. Indeed, the vulnerabilities dealt with this month by Google concern all the latest versions of the mobile OS, that is to say Android 8.1 (released at the end of 2017), 9 (arrived in August 2018), 10 (launched in September 2019) and 11 (rolled out from September 2020).
36 flaws, all considered serious or critical
The publication of the security bulletin being very recent, and insofar as the patch has not yet been widely distributed to Android terminals, the details of the vulnerabilities – 34 are considered serious, 2 are critical – is not given, therefore. in order to avoid giving indications to malicious third parties. This documentation will eventually be provided later, once the risk has been sufficiently mitigated.
Regarding the most serious vulnerability, Google describes it in relatively vague terms: it is located in the System component and, if exploited remotely by a malicious third party, that third party could run a harmful program, taking advantage of privileged access to Android settings. This specific flaw affects versions 10 and 11 of Android, i.e. the two most recent.
The System component is also not affected by a single flaw: seven others are listed in April. This component is also regularly patched by the Mountain View firm. The bulletin also mentions concerns in various compartments of the OS, including the kernel, as well as in components supplied by OEMs MediaTek and Qualcomm. They also receive regular updates.
Google does not rate the severity of wet finger vulnerabilities. It uses an objective scale for this, the CVSS score. It is calculated taking into account different criteria. For example, should the attacker have physical access to the smartphone or can he intervene remotely? In the first case, the computer attack is much more difficult to implement.
This assessment also assumes that no countermeasure in Android can mitigate or counter the incident, either because these barriers have been lowered or because they have been bypassed. The bulletin does not mention either the discovery or the active use of one of these breaches, it is a priori good news: it suggests that they will be corrected before they even pose a problem.
The continuation in video