Android Security Bulletin May 2017: What you need to know

0
SHARE


Image: Jack Wallen

Not proud of its earlier file of 9 Critical vulnerabilities, the Android platform has one-upped itself with 10. Some of those have an effect on Nexus and/or Pixel units, whereas others are utilized to all units working Android four.four.four all the way in which to 7.1.2. Let’s check out the Critical flaw highlights, as detailed within the May 2017 Android Security bulletin.Check your safety launch

Before we spotlight what’s included with the May 2017 Android Security Bulletin, it is at all times good to know what safety launch is put in in your system. Of the Android units I exploit often, each the Verizon-branded Nexus 6, working Android 7.zero, and the OnePlus three, working Android 7.1.1, are nonetheless working the March safety patch (Figure A).

Figure A

Figure A

My OnePlus three working the March safety patch.

Let’s check out these Critical vulnerabilities affecting the Android platform.

Critical vulnerabilities

Remote code execution vulnerability in Mediaserver

Color me not stunned that now we have a holdover essential challenge for the oft-plagued Mediaserver. Yet once more the much-maligned Mediaserver system features a distant code execution vulnerability that would allow an attacker, utilizing a specially-crafted file, to trigger reminiscence corruption throughout media file and knowledge processing. Because of the potential for distant code execution, this challenge has been rated as Critical.

Related bugs: A-35219737, A-34618607, A-34897036, A-35039946, A-34097672, A-34970788

Remote code execution vulnerability in GIFLIB

GIFLIB, a library and utilities for processing GIFs, has been discovered to include a distant code execution vulnerability that would allow an attacker, utilizing a specifically crafted file, to trigger reminiscence corruption throughout media file and knowledge processing. Because of the potential for distant code execution, this challenge has been rated as Critical.

Related bug: A-34697653

Elevation of privilege vulnerability in MediaTek touchscreen driver

Another holdover from final month’s bulletin is discovered within the MediaTek touchscreen driver. This system has been discovered to include an elevation of privilege vulnerability that would allow an area malicious utility to execute arbitrary code throughout the kernel. Because of the potential for system compromise (which may require reflashing the working system to restore the system), this challenge has been rated as Critical.

Related bug: A-30202412

NOTE: The patch for the A-30202412 bug just isn’t publicly out there and could be discovered throughout the newest binary drivers for Nexus units from the Google Developer website.

Elevation of privilege vulnerability in Qualcomm bootloader

The Qualcomm bootloader has been discovered to include an elevation of privilege vulnerability that would allow an area malicious utility to execute arbitrary code throughout the context of the kernel. Because of the potential for an area everlasting system compromise, which can require reflashing the working system to restore the system, this challenge has been rated as Critical.

Related bugs: A-34514954*, A-32952839

* This challenge solely impacts the Nexus 5X, Nexus 6, the Pixel and Pixel XL, and Android One units.

** This challenge solely impacts the Nexus 5X, Nexus 6P, Pixel, and Pixel XL units.

Elevation of privilege vulnerability in kernel sound subsystem

The kernel sound subsystem has been discovered to include an elevation of privilege vulnerability that would allow an area malicious utility to execute arbitrary (and probably malicious) code throughout the context of the kernel. Because of the potential for an area system compromise (which might require reflashing the working system to restore the affected system), this challenge has been rated as Critical.

Related bug: A-34068036

This challenge solely impacts the Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Pixel, Pixel XL, Pixel C, Android One, Nexus Player units.

Elevation of privilege vulnerability in Motorola bootloader

The Motorola bootloader has been discovered to include an elevation of privilege vulnerability that would allow an area malicious utility to execute arbitrary (and probably malicious) code in the course of the bootload course of. Because of the potential for an area system compromise (which might require reflashing the working system to restore the affected system), this challenge has been rated as Critical.

Related bug: A-33840490

NOTE: The patch for the A-33840490 bug just isn’t publicly out there and could be discovered throughout the newest binary drivers for Nexus units from the Google Developer website.

Elevation of privilege vulnerability in NVIDIA video driver

The NVIDIA video driver has been discovered to include an elevation of privilege vulnerability that would allow an area malicious utility to execute arbitrary code throughout the context of the kernel. Because of the potential for an area system compromise (which might require reflashing the working system to restore the affected system), this challenge has been rated as Critical.

Related bug: A-34113000

NOTE: The patch for the A-34113000 bug just isn’t publicly out there and could be discovered throughout the newest binary drivers for Nexus units from the Google Developer website.

This challenge solely impacts Nexus 9 units.

Elevation of privilege vulnerability in Qualcomm energy driver

The Qualcomm energy driver has been found to include an elevation of privilege vulnerability that would allow an area malicious utility to execute arbitrary code throughout the context of the kernel. Because of the potential for an area system compromise (which might require reflashing the working system to restore the affected system), this challenge has been rated as Critical.

Related bug: A-35392981

NOTE: All Google units working Android 7.1.1 or later, which have put in all updates, aren’t affected by this challenge.

Elevation of privilege vulnerability in kernel hint subsystem

The kernel hint subsystem (a system used for debugging the kernel) has been discovered to include an elevation of privilege vulnerability that would allow an area malicious utility to execute arbitrary code throughout the context of the kernel. Because of the potential for an area system compromise (which might require reflashing the working system to restore the affected system), this challenge has been rated as Critical.

Related bug: A-35399704

This challenge solely impacts the Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Pixel, Pixel XL, Pixel C, Android One, Nexus Player units.

Vulnerabilities in Qualcomm elements

Two essential vulnerabilities have been discovered to have an effect on Qualcomm elements. These bugs are addressed, intimately, within the Qualcomm AMSS October 2016 safety bulletin.

Related bugs: A-32578446*, A-35436149**

NOTE: The patch for each the A-31628601 and the A-35358527 bugs just isn’t publicly out there and could be discovered throughout the newest binary drivers for Nexus units from the Google Developer website.

* This challenge solely impacts the Nexus 6P system.

** This challenge impacts the Nexus 5X, Nexus 6, Nexus 6P, Pixel, Pixel XL units.

Upgrade and replace

The builders will work diligently to patch the vulnerabilities, however it’s as much as the tip customers to make sure the fixes discover their option to units. Make positive you not solely test for updates, however that you simply apply them as quickly as they’re out there. To see the complete itemizing of vulnerabilities (which incorporates numerous excessive and reasonable points), take a look at the May 2017 Android Security Bulletin.

Also see


Leave a Reply