Cybersecurity Briefing — January 6, 2020
Google published the January 2020 Android Security Bulletin with critical framework and media fixes that close remote code execution and privilege escalation paths on supported Pixel devices and AOSP builds.
Executive briefing: Google released the January 2020 Android Security Bulletin on , delivering patched builds to Pixel devices and publishing source fixes for the Android Open Source Project. The bulletin includes multiple critical remote code execution and elevation of privilege flaws across the framework and media stacks that can be triggered via crafted files or transmissions.
Why it matters: Unpatched Android devices remain exposed to drive-by exploits and malicious apps that can gain system-level control. Mobile fleets relying on carrier or OEM updates need to verify patch levels and mitigate vulnerable devices until updates are available.
- Verify patch level: Require managed Android devices to reach the 2020-01-05 or 2020-01-06 security patch level; quarantine devices that cannot update.
- Update EMM baselines: Push the January security images to corporate Pixel devices and refresh compliance policies that check
ro.build.version.security_patch. - Review OEM timelines: Obtain carrier/OEM schedules for Samsung, LG, and other fleets; apply mitigations such as restricting sideloading and enforcing Google Play Protect in the interim.
- Monitor exploitation: Track vendor advisories and threat intel for proof-of-concept or in-the-wild exploitation of CVEs listed in the bulletin.