Security

Android Security Bulletin May 2017: What you need to know

The May 2017 Android Security Bulletin shatters its previous record of critical vulnerabilities. Get the highlights.

Image: Jack Wallen

Not happy with its previous record of nine Critical vulnerabilities, the Android platform has one-upped itself with 10. Some of these affect Nexus and/or Pixel devices, while others are applied to all devices running Android 4.4.4 all the way to 7.1.2. Let's take a look at the Critical flaw highlights, as detailed in the May 2017 Android Security bulletin.Check your security release

Before we highlight what's included with the May 2017 Android Security Bulletin, it's always good to know what security release is installed on your device. Of the Android devices I use regularly, both the Verizon-branded Nexus 6, running Android 7.0, and the OnePlus 3, running Android 7.1.1, are still running the March security patch (Figure A).

Figure A

Figure A

My OnePlus 3 running the March security patch.

Let's take a look at those Critical vulnerabilities affecting the Android platform.

Critical vulnerabilities

Remote code execution vulnerability in Mediaserver

Color me not surprised that we have a holdover critical issue for the oft-plagued Mediaserver. Yet again the much-maligned Mediaserver system includes a remote code execution vulnerability that could enable an attacker, using a specially-crafted file, to cause memory corruption during media file and data processing. Because of the possibility of remote code execution, this issue has been rated as Critical.

Related bugs: A-35219737, A-34618607, A-34897036, A-35039946, A-34097672, A-34970788

Remote code execution vulnerability in GIFLIB

GIFLIB, a library and utilities for processing GIFs, has been found to contain a remote code execution vulnerability that could enable an attacker, using a specially crafted file, to cause memory corruption during media file and data processing. Because of the possibility of remote code execution, this issue has been rated as Critical.

Related bug: A-34697653

Elevation of privilege vulnerability in MediaTek touchscreen driver

Another holdover from last month's bulletin is found in the MediaTek touchscreen driver. This system has been found to contain an elevation of privilege vulnerability that could enable a local malicious application to execute arbitrary code within the kernel. Because of the possibility of device compromise (which could require reflashing the operating system to repair the device), this issue has been rated as Critical.

Related bug: A-30202412

NOTE: The patch for the A-30202412 bug is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

Elevation of privilege vulnerability in Qualcomm bootloader

The Qualcomm bootloader has been found to contain an elevation of privilege vulnerability that could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device, this issue has been rated as Critical.

Related bugs: A-34514954*, A-32952839

* This issue only affects the Nexus 5X, Nexus 6, the Pixel and Pixel XL, and Android One devices.

** This issue only affects the Nexus 5X, Nexus 6P, Pixel, and Pixel XL devices.

Elevation of privilege vulnerability in kernel sound subsystem

The kernel sound subsystem has been found to contain an elevation of privilege vulnerability that could enable a local malicious application to execute arbitrary (and possibly malicious) code within the context of the kernel. Because of the possibility of a local device compromise (which would require reflashing the operating system to repair the affected device), this issue has been rated as Critical.

Related bug: A-34068036

This issue only affects the Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Pixel, Pixel XL, Pixel C, Android One, Nexus Player devices.

Elevation of privilege vulnerability in Motorola bootloader

The Motorola bootloader has been found to contain an elevation of privilege vulnerability that could enable a local malicious application to execute arbitrary (and possibly malicious) code during the bootload process. Because of the possibility of a local device compromise (which would require reflashing the operating system to repair the affected device), this issue has been rated as Critical.

Related bug: A-33840490

NOTE: The patch for the A-33840490 bug is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

Elevation of privilege vulnerability in NVIDIA video driver

The NVIDIA video driver has been found to contain an elevation of privilege vulnerability that could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of a local device compromise (which would require reflashing the operating system to repair the affected device), this issue has been rated as Critical.

Related bug: A-34113000

NOTE: The patch for the A-34113000 bug is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

This issue only affects Nexus 9 devices.

Elevation of privilege vulnerability in Qualcomm power driver

The Qualcomm power driver has been discovered to contain an elevation of privilege vulnerability that could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of a local device compromise (which would require reflashing the operating system to repair the affected device), this issue has been rated as Critical.

Related bug: A-35392981

NOTE: All Google devices running Android 7.1.1 or later, that have installed all updates, are not affected by this issue.

Elevation of privilege vulnerability in kernel trace subsystem

The kernel trace subsystem (a system used for debugging the kernel) has been found to contain an elevation of privilege vulnerability that could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of a local device compromise (which would require reflashing the operating system to repair the affected device), this issue has been rated as Critical.

Related bug: A-35399704

This issue only affects the Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Pixel, Pixel XL, Pixel C, Android One, Nexus Player devices.

Vulnerabilities in Qualcomm components

Two critical vulnerabilities have been found to affect Qualcomm components. These bugs are addressed, in detail, in the Qualcomm AMSS October 2016 security bulletin.

Related bugs: A-32578446*, A-35436149**

NOTE: The patch for both the A-31628601 and the A-35358527 bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

* This issue only affects the Nexus 6P device.

** This issue affects the Nexus 5X, Nexus 6, Nexus 6P, Pixel, Pixel XL devices.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available. To see the full listing of vulnerabilities (which includes a number of high and moderate issues), check out the May 2017 Android Security Bulletin.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox