Google Fixes Android Vulnerabilities
Wednesday, March 8, 2017 @ 01:03 PM gHale
Google released a set of monthly security patches for Android that fix over 100 vulnerabilities, where more than 33 percent rated as critical.
Google said two partial security patch level strings are coming out: The 2017-03-01 security patch level to resolve 36 vulnerabilities (11 Critical, 15 High, 9 Moderate, 1 Low), and 2017-03-05 security patch level to address 71 flaws (24 Critical, 32 High, 14 Moderate, 1 Low).
The 11 Critical flaws resolved with the 2017-03-01 security patch level include nine Remote Code Execution (RCE) issues in Mediaserver; one RCE in OpenSSL & BoringSSL; and an Elevation of Privilege (EoP) vulnerability in recovery verifier.
The 15 vulnerabilities rated High included three RCE bugs in AOSP Messaging, libgdx, and Framesequence library; two EoP issues in Audioserver; one EoP in NFC; and nine Denial of Service (DoS) vulnerabilities in Mediaserver.
The Medium risk flaws include EoP issues in Location Manager, Wi-Fi, Package Manager, and System UI; Information disclosure vulnerabilities in AOSP Messaging and Mediaserver; and DoS bugs in Setup Wizard and Mediaserver.
The Low severity issue addressed in 2017-03-01 security patch level is a DoS vulnerability in Audioserver.
The 24 Critical risk issue resolved in 2017-03-05 security patch level include 19 EoP vulnerabilities (seven in MediaTek components, five in NVIDIA GPU driver, two in kernel ION subsystem, one in Broadcom Wi-Fi driver, one in kernel FIQ debugger, one in Qualcomm GPU driver, and two in kernel networking subsystem) and 5 various vulnerabilities in Qualcomm components.
Elevation of privilege issues clearly dominated the patch level. As a result 25 rated High severity ended up addressed. They affected kernel networking subsystem, Qualcomm input hardware driver, MediaTek Hardware Sensor Driver, Qualcomm ADSPRPC driver, Qualcomm fingerprint sensor driver, Qualcomm crypto engine driver, Qualcomm camera driver, MediaTek APK, Qualcomm Wi-Fi driver, Synaptics touchscreen driver, Qualcomm IPA driver, HTC Sensor Hub Driver, NVIDIA GPU driver, Qualcomm networking driver, kernel security subsystem, and Qualcomm SPCom driver.
Six of the remaining High risk issues addressed in 2017-03-05 security patch level are Information disclosure vulnerabilities (affecting kernel networking subsystem, MediaTek driver, Qualcomm bootloader, Qualcomm power driver, NVIDIA GPU driver), while the last one is a Denial of service vulnerability in kernel cryptographic subsystem.
All issues will end up addressed by security patch levels of 2017-03-05 or later, Google said in a blog post.
Leave a Reply
You must be logged in to post a comment.