Security

Android Security Bulletin January 2017: What you need to know

Although there is only one new critical vulnerability in the January 2017 Android Security Bulletin, there are plenty of flaws this month. Get the highlights.

Image: Jack Wallen

Anyone that follows the Android Security Bulletins is all-too familiar with the Mediaserver, and it is back in the spotlight with Critical and High vulnerabilities this month. But the Mediaserver is not the only issue at hand—there are plenty of issues to deal with. Let's look at the highlights from the January 2017 Android Security Bulletin.

SEE: This Android-infecting Trojan malware uses your phone to attack your router (ZDNet)

Check your security release

Before we highlight what's included with the January 2017 Android Security Bulletin, it's always good to know what security release is installed on your device.

Of the Android devices I use regularly, the Verizon-branded Nexus 6 running Android 7.0 is running the October 2016 security update (Figure A), and my OnePlus 3 is still behind with the November 2016 security update. The Nexus devices (at least the 6) might not receive the next security patch until Android 7.1.1 is rolled out. As for the OnePlus 3, the next security patch most likely won't happen until it is upgraded to Nougat. Suffice it to say, the security patch releases aren't flowing nearly as well as they once were.

Figure A

Figure A

The Nexus 6 running Android 7 and October's security patch.

Critical issues

Remote code execution vulnerability in Mediaserver

Fortunately, Android managed to sneak by with only one critical vulnerability; unfortunately, that issue is within the Mediaserver. That's right, our old friend is back again with yet another remote code execution vulnerability.

This issue could enable an attacker, using a malicious file, to cause memory corruption during media file and data processing. Due to the ability to remotely execute code within the context of the Mediaserver process, this issue is marked as Critical.

Related bug: A-31607432

High issues

Remote code execution vulnerability in c-ares

A new contender in the Security Bulletin is c-ares (a C library for asynchronous DNS requests). This issue could enable an attacker using a specially crafted request to execute code in the context of an unprivileged process. Because of the ability to execute code remotely in an application that makes use of the c-ares library, this issue is marked as High.

Related bug: A-32205736

Remote code execution vulnerability in Framesequence

Another new player in the Security Bulletin is the Framesequence library (the subsystem that handles animation, such as gifs). This vulnerability is yet another remote code execution flaw that could lead to an attacker running arbitrary code within the context of an unprivileged process. Because of the ability to remotely execute code, this vulnerability is marked as High.

Related bug: A-32338390

Elevation of privilege vulnerability in Framework APIs

A repeat offender, Framework APIs are vulnerable to an elevation of privilege issue that could enable a local malicious application to execute arbitrary code within the context of a privileged process. Because this vulnerability can be used to gain local access to elevated privileges (which are not usually accessible by third-party applications), this issue is marked as High.

Related bug: A-31677614

Elevation of privilege vulnerability in Audioserver

Two bugs, each marked as High, have been discovered in the Android Audioserver. This issue is an elevation of privilege vulnerability and could enable a local malicious application to execute arbitrary code within the context of a privileged process. Because of the ability to gain local access to elevated capabilities (which are not usually accessible by third-party applications), this issue is rated as High.

Related bugs: A-32095626 and A-32585400

Information disclosure vulnerability in External Storage Provider

The External Storage Provider contains an information disclosure vulnerability. This issue could enable a local, non-primary user to read data from an external storage SD card that should only be accessible by the primary user. Because this vulnerability allows users to access data without permission, it is rated as High.

Related bug: A-32523490

Denial of service vulnerability in core networking

The Android core network system contains a denial of service vulnerability that could enable a remote attacker to use a malicious network packet to cause a device to hang or reboot. Because of a possible denial of service issue, this vulnerability is marked as High.

Related bug: A-31850211

Denial of service vulnerability in Mediaserver

Never one to be shown up, the Mediaserver contains a number of bugs that could lead to a denial of service. This issue could enable a remote attacker using a malicious file to hang or reboot a device. Because of a possible remote denial of service issue, this vulnerability is marked as High.

Related bugs: A-31647370, A-32322258, A-32577290, and A-30436808

Moderate issues

Elevation of privilege vulnerability in Contacts

The Contacts app contains an elevation of privilege vulnerability that could enable a local malicious app to create contact information without the user's knowledge. Because this vulnerability bypasses user interaction, it is marked as Moderate.

Related bug: A-32219099

Information disclosure vulnerability in Audioserver

The Audioserver contains a number of vulnerabilities that could enable local malicious applications to access data outside their permission levels. Because of the ability to access data without permission, this issue is marked as Moderate.

Related bugs: A-32438594, A-32635664, A-32624850, A-32247948, A-32584034, A-32448258, and A-32436341

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

To see the full listing of vulnerabilities, check out the Android January Security Bulletin.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox