Released on the 3rd of January, Google’s first Android Security Bulletin for 2017 patched a total of 95 vulnerabilities. About 22 of them were rated critical and 50 of them addressed as Elevation of Privileges flaws.
The security bulletin of January was released in two security patch level strings. This provides Android partners with the flexibility to fix possible vulnerabilities as swiftly as possible. While the 2017-01-05 security patch level addressed 72 bugs affecting drivers and other ODM software, the 2017-01-01 security patch level resolved 23 issues which affect various Android components.
2017-01-01 Security Patch Level
Of the vulnerabilities that were tagged with Critical severity rating, one was a remote code execution flaw in Mediaserver. The Android Media server component has undergone nearly three dozen patches after the Stagefright Vulnerability was discovered in August 2015.
According to the bulletin,
“The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.”
Along with the Media server RCE vulnerability, Google identified some other flaws too, such as (CVE-2017-0390) a denial of service vulnerability (CVE-2017-0387) and an elevation of privilege vulnerability. Both of these have been classified as high risk.
Other critical vulnerabilities patched, include an elevation of privilege vulnerability (CVE-2016-8424) identified in NVIDIA’s GPU driver and Qualcomm’s bootloader (CVE-2016-8422). Additional critical elevation of privileges vulnerabilities was identified within several Qualcomm components such as cameras (CVE-2016-8412). These are commonly used in Android Snapdragon phones made by LG and Samsung. Like Media server, since Qualcomm’s most notable flaw, QuadRooter, was identified in August 2016, it has also undergone aggressive security patches.
Further security issues were identified and patched in lesser-known Android components such as remote code execution bugs in C-ares (CVE-2016-5180), Framesequence (CVE-2017-0382) and libnl (CVE-2017-0386). A remote code execution vulnerability allows attackers to execute arbitrary code as an unprivileged process, with a specially crafted request.
“An elevation of privilege vulnerability in the libnl library could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as high because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application,” Google wrote in context to the vulnerability in libnl.
Go to the Next Page 2…