It seems the Android Security Bulletin has opted to offer up a bit less information on the surface; migrating from a fairly complete description of vulnerabilities, to more a listing of vulnerabilities, categorized by component. Even with that change, it is possible to discern there are, as expected, still vulnerabilities in need of resolution. Let’s take a look at what issues are haunting Android in this take on the August Security Bulletin.
Check the security release on your Android device
Before we dive into what’s included with this month’s bulletin, it’s always good to know what security release is installed on your device.To my surprise, my daily driver OnePlus 3 is still running the May 1, 2017 security patch. To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).
And now, what’s up with the August Security Bulletin?
As you might expect, the media framework was hit hardest with critical vulnerabilities. In fact there are 10 Remote Code Execution (RCE) vulnerabilities listed in the August bulletin. What are RCE vulnerabilities? Any vulnerability that can enable an attacker to access a remote device (and make changes), by way of malicious code. The following issues have been found to contain such vulnerabilities:
Believe it or not, that’s it for the critical issues this month.
SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
This is another RCE vulnerability that affects sfntly, a Java and C++ library used for editing and creating sfnt container based fonts. This library was originally created by the Google Font Team and has been made open source. The following issue has been found to contain such a vulnerability:
The Media Framework wasn’t just found to contain critical vulnerabilities. A number of DoS (Denial of Service) and EoP (Exploit) issues were found and rated high. Here are the related issues (and their type of vulnerability):
- A-36819262 DoS
- A-37627194 DoS
- A-36389123 DoS
- A-37469795 DoS
- A-36279112 DoS
- A-38391487 DoS
- A-38014992 DoS
- A-38239864 DoS
- A-38487564 DoS
- A-35583675 DoS
- A-33004354 EoP
- A-37710346 EoP
- A-36075363 EoP
- A-37504237 EoP
- A-37563942 EoP
One high rated EoP vulnerability was found, such that it could enable a local malicious application to execute arbitrary code within the context of a privileged process. The specific component, found to contain a high-rated vulnerability is the File System. The related bug is A-36266767 and affects the upstream kernel.
The final high-rated vulnerability affects the GPU driver. This EoP issue could enable a local malicious application to execute arbitrary code within the context of a privileged process. The related bug is A-32458601. Details about this particular bug have not been made publicly available.
Surprisingly enough, that’s it for critical and high vulnerabilities in the August Android Security bulletin. Here’s hoping this trend will continue.
Upgrade and update
The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.