Android Security Bulletin August 2017: What you need to know

It seems the Android Security Bulletin has opted to offer up a bit less information on the surface; migrating from a fairly complete description of vulnerabilities, to more a listing of vulnerabilities, categorized by component. Even with that change, it is possible to discern there are, as expected, still vulnerabilities in need of resolution. Let's take a look at what issues are haunting Android in this take on the August Security Bulletin.

Check the security release on your Android device

Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device.To my surprise, my daily driver OnePlus 3 is still running the May 1, 2017 security patch. To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).

Figure A

And now, what's up with the August Security Bulletin?

Critical Issues

Media Framework

As you might expect, the media framework was hit hardest with critical vulnerabilities. In fact there are 10 Remote Code Execution (RCE) vulnerabilities listed in the August bulletin. What are RCE vulnerabilities? Any vulnerability that can enable an attacker to access a remote device (and make changes), by way of malicious code. The following issues have been found to contain such vulnerabilities:

A-36492637, A-36998372, A-37203196, A-37273547, A-37273673, A-37430213, A-37561455, A-37660827, A-37968755, A-37079296.

Believe it or not, that's it for the critical issues this month.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)

High Issues

Libraries

This is another RCE vulnerability that affects sfntly, a Java and C++ library used for editing and creating sfnt container based fonts. This library was originally created by the Google Font Team and has been made open source. The following issue has been found to contain such a vulnerability:

A-32096780

Media Framework

The Media Framework wasn't just found to contain critical vulnerabilities. A number of DoS (Denial of Service) and EoP (Exploit) issues were found and rated high. Here are the related issues (and their type of vulnerability):

• A-36819262 DoS
• A-37627194 DoS
• A-36389123 DoS
• A-37469795 DoS
• A-36279112 DoS
• A-38391487 DoS
• A-38014992 DoS
• A-38239864 DoS
• A-38487564 DoS
• A-35583675 DoS
• A-33004354 EoP
• A-37710346 EoP
• A-36075363 EoP
• A-37504237 EoP
• A-37563942 EoP

Kernel components

One high rated EoP vulnerability was found, such that it could enable a local malicious application to execute arbitrary code within the context of a privileged process. The specific component, found to contain a high-rated vulnerability is the File System. The related bug is A-36266767 and affects the upstream kernel.

GPU Driver

The final high-rated vulnerability affects the GPU driver. This EoP issue could enable a local malicious application to execute arbitrary code within the context of a privileged process. The related bug is A-32458601. Details about this particular bug have not been made publicly available.

Surprisingly enough, that's it for critical and high vulnerabilities in the August Android Security bulletin. Here's hoping this trend will continue.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also see

• Android Security Bulletin July 2017: What you need to know (TechRepublic)
• Android Security Bulletin June 2017: What you need to know (TechRepublic)
• Android Security Bulletin May 2017: What you need to know (TechRepublic)
• Android Security Bulletin April 2017: What you need to know (TechRepublic)
• Android Security Bulletin March 2017: What you need to know (TechRepublic)
• Android ransomware up more than 50%, locking users' devices until they pay (TechRepublic)
• Don't use Android pattern lock to protect secrets, researchers warn (ZDNet)
• Android Security Bulletin February 2017: What you need to know (TechRepublic)
• Android Security Bulletin January 2017: What you need to know (TechRepublic)
• Android Security Bulletin December 2016: What you need to know (TechRepublic)
• Android Security Bulletin November 2016: What you need to know (TechRepublic)
• Android Security Bulletin October 2016: What you need to know (TechRepublic)
• Android Security Bulletin August 2016: What you need to know (TechRepublic)
• Android June 2016 Security Bulletin: What you need to know (TechRepublic)
• Android Security Update May 2016: What you need to know (TechRepublic)
• Android Security Update April 2016: What you need to know (TechRepublic)
• Android Security Update March 2016: What you need to know (TechRepublic)