Google Fixes Android Flaws

Friday, April 7, 2017 @ 04:04 PM gHale

Security updates for Android released to fix remote code execution (RCE) and elevation of privilege (EoP) vulnerabilities.

Google resolved more than 100 vulnerabilities in Android over two separate sets of patches. In one patch, 23 bugs ended up fixed with 2017-04-01 security patch level, including six critical vulnerabilities, nine at high risk and eight moderate.

Android Ransomware Delays, Confuses AV
Google Halts Use of Symantec Certificates
New Version of Chrome Releases
Chrome MacOS Users get Malware Protection

There were six critical RCE issues affecting Mediaserver; high risk flaws such as EoPs in CameraBase, Audioserver, and SurfaceFlingerș Information disclosure in Mediaserver; and denial of service (DoS) vulnerabilities in libskia and Mediaserver.

The moderate severity issues included EoP bugs in libnl and Telephony, along with Information disclosure vulnerabilities in Mediaserver, libskia, and Factory Reset. Overall, Google patched 15 issues in Mediaserver.

The 2017-04-05 security patch level fixes 79 vulnerabilities, 25 rated critical, 39 have a high rating, and 15 are moderate, according to Google’s advisory.

One of the most severe of these vulnerabilities was a RCE issue in Broadcom Wi-Fi firmware. Tracked as CVE-2017-0561 and found by Google Project Zero researcher Gal Beniamini, the issue impacts Nexus, Samsung, and smartphones from other vendors as well.

Nineteen other critical issues ended up fixed in Qualcomm components and released as part of Qualcomm AMSS security bulletins between 2014 and 2016 (a 20th vulnerability considered only high risk was also counted in Google’s advisory).

The rest of the critical flaws included RCE issues in kernel networking subsystem and Qualcomm crypto engine driver, along with EoP bugs in MediaTek touchscreen driver, HTC touchscreen driver, and kernel ION subsystem.

Leave a Reply

You must be logged in to post a comment.