Security

Android Security Bulletin February 2017: What you need to know

The February 2017 Android Security Bulletin features more critical flaws than any other bulletin to date, as well as a number of high-rated issues. Get the highlights.

Image: Jack Wallen

Android users, the Mediaserver is still in the spotlight with Critical and High vulnerabilities this month. But the Mediaserver is not the only issue at hand—in fact, this month there are eight critical flaws. Let's look at the critical flaws that are detailed in the February 2017 Android Security Bulletin.

SEE: Ebook—Executive's guide to mobile security (TechRepublic)

Check your security release

Before we highlight what's included with the February 2017 Android Security Bulletin, it's always good to know what security release is installed on your device.

Of the Android devices I use regularly, the Verizon-branded Nexus 6 running Android 7.0 is still running the October 2016 security update, and my OnePlus 3 is still behind with the December 2016 security update (Figure A). The Nexus devices (at least the 6) might not receive the next security patch until Android 7.1.1 is rolled out. As for the OnePlus 3, the device has been upgraded to Nougat, but the security patch is still behind; my guess is it will not happen until the device is upgraded from OnePlus Oxygen to Hydrogen.

Figure A

Figure A

The OnePlus 3 is still behind on its security patch.

Critical issues

Remote code execution vulnerability in Surfaceflinger

Surfaceflinger is an Android system-level service that is responsible for compositing all the application and system surfaces into a single buffer that then can be displayed by the display controller. A remote code execution vulnerability discovered in Surfaceflinger could enable an attacker, using a malicious file, to cause memory corruption during media file and data processing. Because of the possibility of remote code execution, this issue is rated as Critical.

Related bug: A-31960359

Remote code execution vulnerability in Mediaserver

And we're back—it's the gift that keeps on giving. A remote code execution vulnerability found in Mediaserver could enable an attacker using a malicious file to cause memory corruption during media file and data processing. Because of the possibility of remote code execution, this issue is rated as Critical.

Related bugs: A-32915871, A-32915871(2), A-32873375

Remote code execution vulnerability in Qualcomm crypto driver

A remote code execution vulnerability discovered in the Qualcomm crypto driver could enable a remote attacker to execute arbitrary code within the context of the kernel. Because of the possibility of remote code execution within the kernel, this issue is rated as Critical.

Related bug: A-32652894

Elevation of privilege vulnerability in kernel file system

An elevation of privilege vulnerability within the kernel file system has been discovered; this could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of a permanent device compromise (which may require reflashing a device), this issue is rated as Critical.

This issue only affects Nexus devices, so the patchbis not publicly available. The patch can be found on the Google Developers site.

Related bug: A-31495866

Elevation of privilege vulnerability in NVIDIA GPU driver

Another Nexus-only Critical issue is an elevation of privilege vulnerability found in the NVIDIA GPU driver. This vulnerability could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of a permanent device compromise (which may require reflashing a device), this issue is rated as Critical.

This issue only affects Nexus devices, so the patch is not publicly available. The patch can be found on the Google Developers site.

Related bugs: A-32401526, A-32636619

Elevation of privilege vulnerability in kernel networking subsystem

Another kernel issue is found within the networking subsystem—one that could enable a local malicious application to execute malicious code. Because of the possibility of a permanent device comprise (one that would require reflashing to repair), this issue is rated as Critical.

Related bug: A-32882659

Elevation of privilege vulnerability in Broadcom Wi-Fi driver

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

Vulnerabilities in Qualcomm components

These vulnerabilities were determined to be Critical by Qualcomm. There are numerous component issues; unfortunately, Qualcomm only shares that information with customers. If you are a Qualcomm customer, the vulnerabilities discovered are described in further detail in the Qualcomm AMSS September 2016 security bulletin.

Note that any device running Android 7.0 is safe from these issues.

Related bug: A-32573899

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

To see the full listing of vulnerabilities (which includes a number of High and Moderate issues), check out the February 2017 Android Security Bulletin.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox