Security

Android Security Bulletin September 2017: What you need to know

The Android media framework is still plagued with critical vulnerabilities. Here are the highlights from the September Android Security Bulletin.

It seems the Android media framework cannot catch a break. With a number of issues marked critical and high, this subsystem continues to remain a weakness for Android. Unfortunately, the media framework isn't the only component to be hit with critical vulnerabilities. Let's take a look at what issues are haunting Android in this take on the September Security Bulletin.

Check the security release on your Android device

Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device.To my surprise, my daily driver OnePlus 3 has finally updated to the August 1, 2017 security patch. To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).

Figure A

Figure A

My OnePlus 3 with an updated security patch.

And now, what's up with the September Security Bulletin?

SEE: Mobile device computing policy (Tech Pro Research)

Critical issues

Media Framework

The media framework was hit hardest with critical vulnerabilities. In fact there are 10 Remote Code Execution (RCE) vulnerabilities listed in the September bulletin. What are RCE vulnerabilities? Any vulnerability that can enable an attacker to access a remote device (and make changes), by way of malicious code. The following issues have been found to contain such vulnerabilities:

A-34621073, A-36006815, A-36492741, A-36715268, A-37237396, A-38448381, A-62214264, A-62534693, A-62872015, A-62872863

System

There were two critical vulnerabilities found within the Android System. These are both RCE vulnerabilities and could enable a proximate attacker to execute arbitrary code within the context of a privileged process. The following issues have been found to contain such vulnerabilities:

A-63146105 and A-63146237

Broadcom components

The Broadcom Wi-Fi driver has been found to contain an RCE vulnerability marked critical. Again, this issue could enable a proximate attacker, using a specially crafted file, to execute arbitrary code within the context of a privileged process. The following issue has been found to contain such a vulnerability:

A-62575138

Qualcomm components

A Qualcomm RCE vulnerability has been found in the shared object library LibOmxVenc, which could allow a remote attacker to execute arbitrary code in the context of a privileged process, using a specially crafted file. The following issue has been found to contain such a vulnerability:

A-36130225

Kernel

The Android kernel didn't escape unscathed. With one RCE vulnerability found within the networking subsystem, a remote hacker could use a specially crafted file to execute arbitrary code within the context of a privileged process. This particular issue enables an attacker to trigger double frees from ip_mc_drop_socket. The following issue has been found to contain such a vulnerability:

A-38413975

That's it for critical flaws.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)

High

Framework

The Android framework contains one vulnerability listed as high. This particular issue is of the EoP type (Exploit) and could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions. The following issue has been found to contain such a vulnerability:

A-62196835

Libraries

There are three issues marked high that could allow a remote hacker to execute arbitrary code within the context of an unprivileged process, by way of a specially crafted file. The following issues have been found to contain such vulnerabilities:

A-62218744 (RCE), A-63852675 (RCE), A-32178311 (EoP)

Media Framework

And we're back. The Media Framework wasn't just found to have critical flaws. Oh no. There were plenty of issues marked high that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The following issues have been found to contain such vulnerabilities:

A-37776688 (RCE), A-37536407 (EoP), A-62019992 (EoP), A-37662122 (EoP), A-38234812 (EoP), A-37624243 (DoS - Denial of Service), A-38115076 (DoS), A-37615911 (DoS), A-62673844 (DoS), A-62673179 (DoS)

Runtime

The Android Runtime environment has been listed to contain a single vulnerability, marked high. This vulnerability could enable a remote attacker using a specially crafted file to cause an application to hang. The following issue has been found to contain such a vulnerability:

A-37742976 (DoS)

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also see

Image: Jack Wallen

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox