Android's July 2024 Security Update Addresses 27 Vulnerabilities

Google has released its latest Android Security Bulletin for July 2024, detailing a range of vulnerabilities affecting Android devices and the corresponding patches to address these issues.

The update, which was published on July 1, 2024, covers security patch levels 2024-07-01 and 2024-07-05, addressing a total of 27 vulnerabilities across various Android components.

Among the most severe issues addressed in this update is a critical security vulnerability in the Framework component. This flaw could potentially allow local attackers to escalate privileges on affected devices without requiring additional execution privileges. The severity of this vulnerability underscores the importance of prompt patching for Android users.

Another critical vulnerability (CVE-2024-26923) was identified in the kernel, which could also lead to local privilege escalation. This issue is addressed in the 2024-07-05 security patch level, highlighting the tiered approach Google takes in releasing security updates.

High-Severity Vulnerabilities Across Multiple Components

The bulletin also details several high-severity vulnerabilities affecting various Android components and third-party elements:

• Framework and System: Multiple elevation of privilege and information disclosure vulnerabilities were patched in these core Android components.
• ARM Components: Two high-severity vulnerabilities (CVE-2024-0153 and CVE-2024-4610) were identified in Mali, an Arm component used in many Android devices. (ARM Security bulletin) 
• Imagination Technologies: Five high-severity vulnerabilities (CVE-2024-31334, CVE-2024-31335, CVE-2024-34724, CVE-2024-34725, and CVE-2024-34726) were found affecting PowerVR GPUs.
• MediaTek Components: Two critical vulnerabilities (CVE-2024-20076 and CVE-2024-20077) were reported in MediaTek modem components. (MediaTek Security bulletin) 
• Qualcomm Components: Several high-severity vulnerabilities were identified in Qualcomm components, including issues in the kernel, display, and closed-source components.

Google Play System Updates

The security bulletin also mentions vulnerabilities addressed through Google Play system updates, which allow Google to patch certain components without requiring a full system update. Notable among these is a high-severity information disclosure vulnerability in the MediaProvider component.

Google emphasizes the role of the Android security platform and Google Play Protect in mitigating the risk posed by these vulnerabilities. The company notes that exploitation of many issues on Android has become more difficult due to ongoing enhancements in newer versions of the Android platform.

Google strongly encourages all users to update to the latest version of Android where possible. Additionally, Google Play Protect, which is enabled by default on devices with Google Mobile Services, plays a crucial role in protecting users, especially those who install apps from outside the Google Play Store.

Patch Availability and Device Updates

The security patch levels of 2024-07-01 or later address all issues associated with the July 1 security patch level, while levels of 2024-07-05 or later address all issues in both patch levels. Device manufacturers are encouraged to include all patches in a single update, though they have the flexibility to fix a subset of vulnerabilities more quickly.

For some devices running Android 10 or later, the Google Play system update will have a date string matching the 2024-07-01 security patch level. Users can check their device's security patch level in the device's Settings app, under "About phone" and "Android version."

The report highlights the vulnerabilities affecting components from various manufacturers like Qualcomm, MediaTek, and Imagination Technologies, it underscores the complexity of Android's supply chain and the importance of coordinated efforts in addressing security issues.

The inclusion of fixes for closed-source components whichinclude CVE-2024-21461 (critical), CVE-2024-21460, CVE-2024-21462, CVE-2024-21465, and CVE-2024-21469 (all high-severity) also draws attention to the less visible aspects of Android security, reminding users that not all vulnerabilities are publicly detailed but are nonetheless critical to address.