Google patches 17 critical vulnerabilities in android may security update
- Google pushed out its monthly Android patches Monday, addressing 17 critical vulnerabilities, six of which are tied to its problematic Mediaserver (an Android component that handles the processing of image and video files) component,that could be used to execute malicious code remotely.
- An additional four critical vulnerabilities related to Qualcomm components in Android handsets including Google’s own Nexus 6P, Pixel XL and Nexus 9 devices were also patched.
According to the Google security bulletin for Android published Monday, this month’s security update is one of the largest security fixes the company ever compiled in a single month.
Google has split Android’s monthly security bulletin into security “patch levels”:
- Partial security patch level (2017-05-01) covers patches for vulnerabilities that are common to all Android devices.
- Complete security patch level (2017-05-05) includes additional fixes for hardware drivers as well as kernel components that are present only in some devices.
Denial of service vulnerability in Mediaserver
A remote denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as Low due to details specific to the vulnerability.
Denial of service vulnerability in Qualcomm Wi-Fi driver
A denial of service vulnerability in the Qualcomm Wi-Fi driver could enable a proximate attacker to cause a denial of service in the Wi-Fi subsystem. This issue is rated as High due to the possibility of remote denial of service.
Information disclosure vulnerability in:
- Framework APIs
- File-Based Encryption
- Bluetooth
- OpenSSL & Bor
- gSSL
- Qualcomm Wi-Fi driver
- MediaTek command queue driver
- Qualcomm crypto eng
- e driver
- kernel UVC driver
- Qualcomm video driver
- Qualcomm power driver (device specific)
- Qualcomm LED driver
- Qualcomm shared memory driver
- Qualcomm camera driver
- kernel trace subsystem
- Qualcomm sound codec driver
- Qualcomm camera driver
- Qualcomm sound driver
- Qualcomm SPCom driver
- Qualcomm sound codec driver
- Broadcom Wi-Fi driver
- Synaptics touchscreen driver
An information disclosure vulnerability in the any above could enable a local malicious application to access data outside of its permission levels. This issue is rated as high for Framework APIs,Qualcomm Wi-Fi driver, MediaTek command queue driver, and Qualcomm crypto engine driver and Moderate for all others.
Remote code execution vulnerability in:
- Mediaserver
- in GIFLIB
- in libxml2
A remote code execution vulnerability in the any above could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. and High for libxml2 due to the possibility of remote code execution in an application that uses this library.
Elevation of privilege vulnerability
- Framework APIs
- Mediaserver
- Bluetooth
- MediaTek touchscreen driver
- Qualcomm bootloader
- kernel sound subsystem
- Motorola bootloader
- NVIDIA video driver
- Qualcomm power driver
- kernel trace subsystem
- MediaTek thermal driver
- Qualcomm Wi-Fi driver
- Qualcomm video driver
- kernel performance subsystem
- Qualcomm sound driver
- Qualcomm LED driver
- Qualcomm crypto driver
- Qualcomm shared memory driver
- Qualcomm Slimbus driver
- Qualcomm ADSPRPC driver
- Qualcomm Secure Execution Environment Communicator driver
- MediaTek power driver
- MediaTek system management interrupt driver
- MediaTek video driver
- MediaTek command queue driver
- Qualcomm pin controller driver
- Qualcomm Secure Channel Manager Driver
- Qualcomm sound codec driver
- kernel voltage regulator driver
- Qualcomm camera driver
- Qualcomm networking driver
- Goodix touchscreen driver
- HTC bootloader
An elevation of privilege vulnerability in the any above could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical for most of above listed due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
What to Do?
Users are strongly advised to download the most recent Android security update to keep their devices protected against any potential attack.
Nexus and Pixel devices will receive the complete patch in an over-the-air update in the coming days, or the owners can download it directly from Google’s developer site.
It’s also worth noting that Google revealed last week that the Nexus 6 and Nexus 9, which were released in November 2014, would no longer be “guaranteed” to receive security updates after October 2017.
A similar timeline has been offered for newer Pixel and Pixel XL handsets of October 2019. After that, the tech giant will only push necessary security fixes to those devices.