Security

Android Security Bulletin August 2017: What you need to know

The Android Security bulletin has undergone some changes, but it doesn't mean you can't find out what plagues the platform. Here are the highlights.

It seems the Android Security Bulletin has opted to offer up a bit less information on the surface; migrating from a fairly complete description of vulnerabilities, to more a listing of vulnerabilities, categorized by component. Even with that change, it is possible to discern there are, as expected, still vulnerabilities in need of resolution. Let's take a look at what issues are haunting Android in this take on the August Security Bulletin.

Check the security release on your Android device

Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device.To my surprise, my daily driver OnePlus 3 is still running the May 1, 2017 security patch. To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).

Figure A

Figure A

A OnePlus 3 running quite an out of date security patch.

And now, what's up with the August Security Bulletin?

Critical Issues

Media Framework

As you might expect, the media framework was hit hardest with critical vulnerabilities. In fact there are 10 Remote Code Execution (RCE) vulnerabilities listed in the August bulletin. What are RCE vulnerabilities? Any vulnerability that can enable an attacker to access a remote device (and make changes), by way of malicious code. The following issues have been found to contain such vulnerabilities:

A-36492637, A-36998372, A-37203196, A-37273547, A-37273673, A-37430213, A-37561455, A-37660827, A-37968755, A-37079296.

Believe it or not, that's it for the critical issues this month.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)

High Issues

Libraries

This is another RCE vulnerability that affects sfntly, a Java and C++ library used for editing and creating sfnt container based fonts. This library was originally created by the Google Font Team and has been made open source. The following issue has been found to contain such a vulnerability:

A-32096780

Media Framework

The Media Framework wasn't just found to contain critical vulnerabilities. A number of DoS (Denial of Service) and EoP (Exploit) issues were found and rated high. Here are the related issues (and their type of vulnerability):

Kernel components

One high rated EoP vulnerability was found, such that it could enable a local malicious application to execute arbitrary code within the context of a privileged process. The specific component, found to contain a high-rated vulnerability is the File System. The related bug is A-36266767 and affects the upstream kernel.

GPU Driver

The final high-rated vulnerability affects the GPU driver. This EoP issue could enable a local malicious application to execute arbitrary code within the context of a privileged process. The related bug is A-32458601. Details about this particular bug have not been made publicly available.

Surprisingly enough, that's it for critical and high vulnerabilities in the August Android Security bulletin. Here's hoping this trend will continue.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also see

Image: Jack Wallen

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox