Referreport
With the Android Security Bulletin for September 2024, Google documents, usually on the first Monday of each month, the vulnerabilities in the mobile operating system that its developers have eliminated in the open source code. In addition, there are security patches from the Linux kernel and security-relevant bug fixes from chip manufacturers. Google publishes a separate report with plugged security holes for its Pixel devices – but often with some delay.
Two patch levels in the security bulletin
The closed security gaps are usually distributed across two so-called patch levels. The first, 2024-09-01, contains the closed AOSP (Android Open Source Project) gaps. Patch level 2024-09-05 documents the gaps that have been fixed in the Linux kernel (as far as they affect Android) and in the chipsets of various suppliers. The latter always only affect some of the Android devices, as their manufacturers use different hardware components. Accordingly, Google obliges the manufacturers to implement the appropriate security patches.
Patch level 2024-09-01 with a 0-day vulnerability
For patch level 2024-09-01, the Security Bulletin in September ten security vulnerabilities in the core components of the operating system have been eliminated. Google classifies all vulnerabilities as high risk. Exploiting most of the vulnerabilities can give an attacker elevated local privileges (EoP). Without providing further details, Google warns that there are signs of “limited, targeted attacks” exploiting the CVE-2024-32896 vulnerability. All Android versions (12 to 14) are potentially at risk.
An update to close the CVE-2024-40659 security vulnerability will be distributed via Google Play in September as part of the Mainline project. These updates are intended for devices running Android 12 to 14 that no longer receive manufacturer support.
▶The latest security updates
Patch Level 2024-09-05 with two critical vulnerabilities
For the hardware-related patch level 2024-09-05, the September bulletin lists 25 closed vulnerabilities. Among them is a security vulnerability (CVE-2024-36972) in the upstream kernel (Linux) that is classified as high risk.
All other vulnerabilities are also classified as high risk. They are distributed across components from chip suppliers ARM (Mali GPU), Imagination Technologies (PowerVR GPU), Unisoc and Qualcomm. Qualcomm alone accounts for 19 security vulnerabilities, two of which (CVE-2024-33042, -33052) are classified as critical. They affect Qualcomm’s WLAN component.
Pixel Update Bulletin with four critical vulnerabilities
The separate bulletin for Google’s Pixel devices even came out a few hours before the Android security bulletin this month. Google only released both on September 3rd because Monday was Labor Day, a holiday in the US and Canada.
In the Pixel Update Bulletin for September The vulnerabilities fixed in Pixel devices in addition to those from the Android Security Bulletin are documented. This month there are a total of six security vulnerabilities, four of which Google classifies as critical. An attacker who exploits one of these vulnerabilities could gain higher privileges. The two remaining security vulnerabilities are considered high risk.
The number of smartphone and tablet manufacturers that provide security updates for their devices more or less regularly has increased in recent years, but there is still a lot of room for improvement. This is all the more true as some manufacturers only offer monthly updates for their expensive top models. While Samsung delivers the updates promptly, often even before Google, other manufacturers sometimes lag several weeks (or longer) behind.
Information about device updates by manufacturer:
Source: German