Security

Android Security Bulletin January 2018: What you need to know

The first month of the year was somewhat kind on Android security. Here are the highlights from the January Android Security Bulletin.

Image: Jack Wallen

A scant five vulnerabilities were marked as Critical in the latest Security Bulletin—continuing a trend for the platform, which might well point to the hardening found within Oreo. Along with those Critical vulnerabilities, comes a few marked as High. Let's take a look at what issues are to be found in the 2018-01-01 and 2018-01-05 patches.

Check the security release on your Android device

Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device. To no surprise, my daily driver, an Essential PH-1, is running the latest security patch (January 5, 2018). To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).

Figure A

Figure A

Essential is always up on the latest security patches.

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE—Remote code execution
  • EoP—Elevation of privilege
  • ID—Information disclosure
  • DoS—Denial of service

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF)

2018-01-01

Critical Vulnerabilities

There were four Critical vulnerabilities found in the 01-01 patch.

Media Framework

The first three vulnerabilities are to be found in the media framework. These vulnerabilities are each of the RCE type and could enable a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. The related issues are:

The final Critical vulnerability found in the 2018-01-01 patch, also of the type RCE, affects the system and could enable a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. The related issue is: A-67474440.

High Vulnerabilities

And now we drop away from the Critical vulnerabilities into the realm of issues marked High. Within this area, we find a number of encountered bugs. The first, and most severe, is within the Android Runtime. This EoP-type issue could enable a remote attacker to bypass user interaction requirements to gain access to additional permissions. The related issue is: A-68341964.

And now, the bulk of issues for the January Security Bulletin are to be found within Media Framework. There are 12 vulnerabilities marked High, which can be found DoS and EoP types. These vulnerabilities could enable a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. The related bugs (and their associated types) are:

The Android System contains three vulnerabilities marked as High. Each of those could enable a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. The related issues are:

2018-01-05

Now we move onto 01-05 security patch level, where there was a lone Critical vulnerability and a few marked High.

Critical Vulnerabilities

The single vulnerability marked Critical is found within the Qualcomm components. As these components are closed source, details can only be found within the Qualcomm AMSS security bulletin/alert. The related issue is: A-62212946.

High Vulnerabilities

The remainder of the 01-05 security patch consists of vulnerabilities marked High. They begin with HTC components. This vulnerability is of type DoS and could enable a remote attacker to force a denial of service in a critical system process. The related issue is: A-38495900.

Next in line is the Kernel, which suffers from four vulnerabilities marked High. These issues could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. The related issues are:

  • A-66694921—EoP—TCP packet processing
  • A-64386293—EoP—Skcipher
  • A-66954097—EoP—Ashmem
  • A-68266545—ID—High-precision timers

LG components suffer a single vulnerability marked High. This EoP-type issue could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. The related issue is: A-68269077—Bootloader.

Once again, we are back at the Media Framework. A single EoP-type vulnerability that could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process has been found. The related issue is: A-38118127.

MediaTek didn't escape scrutiny. A single EoP-type vulnerability has been discovered that could enable a local malicious application to execute arbitrary code within the context of a privileged process. The related issue is: A-38308024.

The NVIDIA driver was discovered to contain an EoP vulnerability that could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. The related issue is: A-37776156.

Finally, Qualcomm's open source components have been found to contain two EoP-type vulnerabilities that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The related bugs are:

  • CVE-2017-15849—Display
  • CVE-2017-11069—Bootloader

That's it for the critical and high vulnerabilities found in the latest security patches for Android.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also See

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox