Published in News

Android screws up on security

by on02 May 2017


MediaTek, Qualcomm, Motorola, Nvidia all affected

Google’s mobile operating system for hundreds of millions of users is scheduled to receive one of the largest security fixes ever compiled in a single month, according to a Google security bulletin published Monday.

The monthly security bulletin for May 2017 contains a list of so many security vulnerabilities that it had to be split into two separate “patch levels”. The first patch (2017-05-01) contains a list of over 100 security vulnerabilities common to all Android devices, while the second patch (2017-05-05) covers additional fixes for hardware drivers and kernel components that are present only in some devices.

Critical: remote code execution in Mediaserver

One of the biggest patches for Android users this month addresses six critical vulnerabilities in Mediaserver, an Android component with special privileges that handles image processing and video files. A remote code execution vulnerability was discovered that could enable an attacker to cause memory corruption during media file and data processing. In other words, users can be tricked into downloading specially-crafted media files on their devices, or sharing them via email or other messaging apps. The bug was first discovered in early January and affects Android versions 4.4.4 KitKat through 7.1.2 Nougat, though the Mediaserver component has made a regular appearance in monthly Android security bulletins.

Critical: escalation of privilege in Framework APIs

An escalation of privilege vulnerability was also discovered in the Android Framework API that allows malicious applications to get access to custom user permissions. This was also first reported in early January and affects Android 6.0 Marshmallow through Android 7.1.2 Nougat.

In addition to these seven patches, the 2017-05-01 patch also includes fixes for eight high-risk vulnerabilities, five moderate severity flaws, and a low severity issue. Some of these vulnerabilities are also located in the Mediaserver component.

Important: Android Nougat file encryption allows bypassing the lock screen

The security bulletin also identifies a vulnerability in the Android file-based encryption (FBE) feature on Android 7.0 Nougat and later. The feature allows different independent files to be encrypted and unlocked with separate keys. The information disclosure bug currently allows an attacker to bypass OS system protections for the lock screen.

Other important security patches in the sweeping list of 100 vulnerabilities includes one for Bluetooth that allows a malicious app to bypass OS system protections that isolate app data. Two more are for bugs in SSL-related software libraries that allow a remote attacker to gain access to sensitive information. Yet another vulnerability has been identified in GIFLIB, a library that’s used by Android for reading and writing GIF format images.

Kernel-level vulnerabilities: MediaTek, Qualcomm, Nvidia, Motorola

In the 2017-05-05 security patch, there are critical vulnerabilities located in a MediaTek touchscreen driver (reported July 2016), Qualcomm and Motorola bootloaders (reported September through December 2016), the Nvidia video driver (reported January 2017), the Qualcomm power driver (reported February 2017), the kernel sound and trace subsystems on Nexus 5X/6/6P/9 and Pixel devices (reported February 2017), and other various Qualcomm components. These can all be exploited by a malicious app to execute arbitrary code at the kernel level, leading to a complete and permanent compromise of a user’s device. In most cases, recovering from such an attack will require reflashing the firmware.

Bulletin covers some patches addressed in previous years

Some of the flaws listed in this bulletin have already been covered by patches released by chipset vendors over the past few years, though most of them appear to cover a range between Q2 2016 and Q1 2017. Google has decided to include all of them in its own bulletins to associated their fixes with an Android security patch.

Google only issues official firmware updates for its currently supported Nexus and Pixel devices and makes the full binary images available on its developer site. Owners of these devices should receive the complete patch in an over-the-air update around Friday. Last week, the company revealed that its Nexus 6 and Nexus 9, which released in November 2014, will no longer be “guaranteed” to receive updates after October 2017. Its newer devices, including the Pixel and Pixel XL, will then lose that guarantee after October 2019. The company states, “Nexus devices get security updates for at least three years from when the device first became available on the Google Store, or at least 18 months from when the Google Store last sold the device.”

Expect OEM firmware updates from partners soon

For all other Android owners not using a Nexus or Pixel device, Google notified its partners of the issues described in the bulletin on or before April 3rd, so we can expect firmware updates from various manufacturers within the next few weeks.

Last modified on 03 May 2017
Rate this item
(0 votes)

Read more about: