The Hacker News

In Brief

Google has released its monthly security patches for Android this week, addressing 17 critical vulnerabilities, 6 of which affect Android Mediaserver component that could be used to execute malicious code remotely.

Besides patches for Mediaserver, Google also fixed 4 critical vulnerabilities related to Qualcomm components discovered in Android handsets, including Google's Nexus 6P, Pixel XL, and Nexus 9 devices.

According to the Google security bulletin for Android published Monday, this month's security update is one of the largest security fixes the company ever compiled in a single month.

Google has split Android's monthly security bulletin into security "patch levels":
  • Partial security patch level (2017-05-01) covers patches for vulnerabilities that are common to all Android devices.
  • Complete security patch level (2017-05-05) includes additional fixes for hardware drivers as well as kernel components that are present only in some devices.


Critical RCE Flaw in Android Mediaserver


The most severe vulnerability exists in Mediaserver – an Android component that handles the processing of image and video files and has been a source of many issues over the past few years, including the critical Stagefright vulnerabilities.
Cybersecurity

According to the search engine giant, the Mediaserver vulnerability "could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."

In other words, attackers could exploit the Mediaserver vulnerability by tricking users into downloading a specially crafted multimedia file on their devices, or sharing the media file via email or other messaging apps and remotely execute arbitrary code.

Interestingly, this vulnerability could be triggered while you sleep, as it's not even necessary for you to open the file because as soon as your device receives the media file, the file system will cause Mediaserver to process it.

The vulnerability was discovered in early January and affects Android versions 4.4.4 KitKat through 7.1.2 Nougat.

Kernel-level Vulnerabilities in Qualcomm


Google has also patched four critical vulnerabilities that stemmed from Qualcomm components and could allow an attacker to gain high-level (root) privileges on an Android device.

Two critical vulnerabilities (CVE-2016-10275 and CVE-2016-10276) in Qualcomm bootloader create conditions ripe for an elevation of privilege attacks, enabling "a local malicious application to execute arbitrary code within the context of the kernel," according to the bulletin.
Cybersecurity

Another critical Qualcomm bug (CVE-2017-0604) in power driver could also allow a local malicious application to execute malicious code on the device within the context of the kernel, which is the most privileged area of the OS.

No Evidence of Flaws Being Exploited in the Wild


Six of the 17 critical patches are addressed with the 2017-05-01 partial security patches, while the remaining 11 critical security flaws affecting various drivers, libraries and bootloaders are patched in the 2017-05-05 complete patch level.

Good news is that Google assured its users that there are no reports of any of the security vulnerabilities being exploited in the wild.

Google says, having two patch levels "provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices."

So, users are strongly advised to download the most recent Android security update to keep their devices protected against any potential attack.

Nexus and Pixel devices will receive the complete patch in an over-the-air update in the coming days, or the owners can download it directly from Google's developer site.

It's also worth noting that Google revealed last week that the Nexus 6 and Nexus 9, which were released in November 2014, would no longer be "guaranteed" to receive security updates after October 2017.

A similar timeline has been offered for newer Pixel and Pixel XL handsets of October 2019. After that, the tech giant will only push necessary security fixes to those devices.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.