Critical DoS messaging flaw fixed in December Android update

For anyone lucky enough to get them, Android’s December 2019 updates arrived this week, patching a small list of system and Qualcomm flaws across the operating system’s two patch levels.

In Google’s estimation, at the top of the urgent list on the 2019-12-01 patch level (see below for explanation) is CVE-2019-2232, a critical flaw affecting Android versions 8.0, 8.1, 9, and 10.

This, Google said, could allow an attacker to cause a “permanent” denial of service by sending users a specially crafted message. The company doesn’t qualify what it means by this alarming description, and there is no indication it’s being exploited, but users won’t want to find out the hard way.

Overall, the update fixes 15 CVEs (2019-12-01) and 5 CVEs (2019-12-05), with another 22 patching Qualcomm components.

Patch level 2019-12-01

This level affects most third-party handsets – those not made by Google. If the patch level on your phone uses the ‘01′ date beside the month, that means you’re getting the security updates up to and including that date, which is to say all the essential ones.

Three fixes on this level are listed as critical, but for two of these – CVE-2019-2222 and CVE-2019-2223 – the rating only applies for versions 8.0, 8.1, and 9. On Android 10, that drops to ‘high’. That could be because 10 has extra mitigations or because it uses Project Mainline through which some critical updates are applied more quickly via Google Play.

One recently disclosed flaw that was quietly fixed some time ago via the Play store is the hijacking flaw affecting Google’s camera app.