Security

Android Security Bulletin March 2017: What you need to know

The March 2017 Android Security Bulletin turned out to be another month with the platform once again topping its previous number of critical flaws. Get the highlights.

Image: Jack Wallen

The hits keep coming for the Android platform. Previously, in the February 2017 Security Bulletin, there were eight vulnerabilities marked Critical. This month, that number jumps to an unheard of eleven Critical issues. Let's take a look at those Critical flaws that are detailed in the March 2017 Android Security bulletin.

Check your security release

Before we highlight what's included with the March 2017 Android Security Bulletin, it's always good to know what security release is installed on your device. Of the Android devices I use regularly, the Verizon-branded Nexus 6, running Android 7.0, finally caught up to the latest security bulletin (Figure A). However, my daily driver, a OnePlus 3, is still lagging with the December 2016 security update. Although the OnePlus 3 has been upgraded to Nougat, the security patch is still behind; my guess is the security patch update will not happen until the device is upgraded to 7.1.1.

Figure A

Figure A

The Nexus 6 has caught up to the security patching.

Critical Issues

Remote code execution vulnerability in OpenSSL & BoringSSL

There's nothing boring about BoringSSL, especially when it suffers from a critical vulnerability. In fact, both OpenSSL and BoringSSL have been found to contain issues. This particular remote code execution vulnerability could enable an attacker, using a malicious file, to cause memory corruption during file and data processing. Because of the possibility of remote code execution within the context of a privileged process, this vulnerability is marked as Critical.

Related bug: A-32096880

Remote code execution vulnerability in Mediaserver

There's a certain comfort in knowing the Mediaserver will continue to return to the Security Bulletin — like a dear friend that never leaves. Yet another remote code execution vulnerability could enable the attacker, using a malicious file, to cause memory corruption during the processing of either a media file or media-related data. Because of the possibility of remote code execution within the context of the Mediaserver, this vulnerability has been rated as Critical.

Related bugs: A-33139050, A-33250932, A-33351708, A-33450635, A-33818500, A-33816782, A-33862021, A-33982658, A-32589224

Elevation of privilege vulnerability in recovery verifier

A new entry to the Critical scene, the recovery verifier has been found to contain an elevation of privilege vulnerability. This vulnerability could enable a locally installed, malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this issue is rated as Critical.

Related bug: A-31914369

Elevation of privilege vulnerability in MediaTek components

MediaTek components (including the M4U, sound, touchscreen, GPU, and Command Queue drivers) have been discovered to contain an elevation of privilege vulnerability. This flaw could enable a local, malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require reflashing the operating system), this vulnerability has been marked as Critical.

Related bugs: A-28429685, M-ALPS02710006, A-28430015, M-ALPS02708983, A-28430164, M-ALPS02710027, A-28449045, M-ALPS02710075, A-30074628, M-ALPS02829371, A-31822282, M-ALPS02992041, A-32276718, M-ALPS03006904

NOTE: The patch for the A* bugs is not publically available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

Elevation of privilege vulnerability in NVIDIA GPU driver

The NVIDIA GPU driver has been found to contain an elevation of privilege vulnerability. This flaw could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this vulnerability has been marked as Critical.

Related bugs: A-31992762, N-CVE-2017-0337, A-33057977, N-CVE-2017-0338, A-33899363, N-CVE-2017-0333, A-34132950, N-CVE-2017-0306, A-33043375, N-CVE-2017-0335

NOTE: The patch for the A* bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

Elevation of privilege vulnerability in kernel ION subsystem

The ION Memory Allocator has been found to contain an elevation of privilege vulnerability. This kernel vulnerability could enable a local malicious application to execute arbitrary, malicious code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this flaw has been marked as Critical.

Related bugs: A-31992382, A-33940449

NOTE: The patch for the A* bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

Elevation of privilege vulnerability in Broadcom Wi-Fi driver

The Broadcom Wi-Fi driver has been found to contain an elevation of privilege vulnerability. This vulnerability could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this flaw has been marked as Critical.

Related bugs: A-32124445, B-RB#110688

NOTE: The patch for the A* bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

Elevation of privilege vulnerability in kernel FIQ debugger

The kernel FIQ (Fast Interrupt reQuest) debugger has been found to contain an elevation of privilege vulnerability. This vulnerability could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this flaw has been marked as Critical.

Related bug: A-32402555

NOTE: The patch for the A* bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

Elevation of privilege vulnerability in Qualcomm GPU driver

The Qualcomm GPU driver has been found to contain an elevation of privilege vulnerability. This vulnerability could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this flaw has been marked as Critical.

Related bugs: A-31824853, QC-CR#1093687

NOTE: The patch for the A* bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

Elevation of privilege vulnerability in kernel networking subsystem

Even the the kernel network subsystem isn't immune to elevation of privilege vulnerabilities. Like many of the other critical vulnerabilities, the flaw in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this flaw has been marked as Critical.

Related bugs: A-33393474, A-33753815

Critical vulnerabilities in Qualcomm components

The Qualcomm component vulnerability has returned for another month, only this time with a few extra bugs. Numerous Qualcomm components have been discovered to contain critical vulnerabilities and were determined to be Critical by Qualcomm. Unfortunately, Qualcomm only shares the information regarding these flaws with customers.

Related bugs: A-28823575, A-28823681, A-28823691, A-28823724, A-31625756

Note that any device running Android 7.0 is safe from these issues and the patch for the A* bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available. To see the full listing of vulnerabilities (which includes a number of High and Moderate issues), check out the March 2017 Android Security Bulletin.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox