Once again, the Android platform has been found to contain more critical vulnerabilities than the previous month. In March, there were eight total critical issues and now, for April, there are a chart-topping nine. Let’s take a look at those critical flaws that are detailed in the April 2017 Android Security bulletin.

Check your security release

Before we highlight what’s included with the April 2017 Android Security Bulletin, it’s always good to know what security release is installed on your device. Of the Android devices I use regularly, both the Verizon-branded Nexus 6, running Android 7.0, and the OnePlus 3, running Android 7.1.1, are running the March security patch (Figure A).

Figure A

Let’s take a look at those critical vulnerabilities affecting the Android platform.

Critical issues

Remote code execution vulnerability in Mediaserver

Color me not surprised that a critical issue remains for the oft-plagued Mediaserver. Once again we have a remote code execution vulnerability within the Mediaserver that could enable an attacker, using a specially-crafted file, to cause memory corruption during media file and data processing. Because of the possibility of remote code execution, this issue has been rated as critical.

Related bugs: A-33641588, A-33864300, A-33966031, A-34031018, A-33934721, A-34097866

Remote code execution vulnerability in Broadcom Wi-Fi firmware

Another remote code execution vulnerability has been found, this time in the Broadcom Wi-Fi firmware. This issue could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi System on a Chip (SoC). Because of the possibility of remote code execution, within the context of the Wi-Fi SoC, this issue has been rated as critical.

Related bug: A-34199105

NOTE: The patch for the above vulnerability is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

SEE: Mobile devices with Broadcom chipsets may be vulnerable to Wi-Fi hijacking

Remote code execution vulnerability in Qualcomm crypto engine driver

The Qualcomm crytpo engine driver has been found to contain a remote code execution vulnerability that could enable a remote attacker to execute arbitrary code within the context of the kernel. Because of the possibility of remote code execution (within the context of the kernel) this issue has been rated as critical.

Related bugs: A-34389927, QC-CR#1091408

Remote code execution vulnerability in kernel networking subsystem

A remote code execution vulnerability was located within the kernel networking subsystem which could enable a remote attacker to execute arbitrary code within the kernel. This bug does not affect upstream kernels, so any kernel not labeled as upstream could be affected. Because of the possibility of remote code execution, this vulnerability has been rated as critical.

Related bugs: A-32813456, Upstream kernel

Elevation of privilege vulnerability in MediaTek touchscreen driver

The MediaTek touchscreen driver has been found to contain an elevation of privilege vulnerability that could enable a local malicious application to execute arbitrary code within the kernel. Because of the possibility of device compromise (which could require reflashing the operating system to repair the device), this issue has been rated as critical.

Related Bugs: A-30202425, M-ALPS02898189

NOTE: The patch for the A-30202425 bug is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

Elevation of privilege vulnerability in HTC touchscreen driver

Another bug in a different touchscreen driver (this time in HTC devices) has been found to contain an elevation of privilege vulnerability that could enable a local malicious application to execute arbitrary code within the the kernel. Because of the possibility of device compromise (which could require reflashing the operating system to repair the device), this issue has been rated as critical.

Related bug: A-32089409NOTE: The patch for the A-32089409 bug is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

Elevation of privilege vulnerability in kernel ION subsystem

A bug from the previous month has shown itself again. The ION Memory Allocator has been found to contain an elevation of privilege vulnerability. This kernel vulnerability could enable a local malicious application to execute arbitrary, malicious code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this flaw has been marked as critical.

Related bug: A-34276203

NOTE: The patch for the A-34276203 bug is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

Vulnerabilities in Qualcomm components

Two critical vulnerabilities have been found to affect Qualcomm components. These bugs are addressed, in detail, in the Qualcomm AMSS October 2016 security bulletin.

Related bugs: A-31628601, A-35358527

NOTE: The patch for both the A-31628601 and the A-35358527 bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available. To see the full listing of vulnerabilities (which includes a number of high and moderate issues), check out the April 2017 Android Security Bulletin.