A scant five vulnerabilities were marked as Critical in the latest Security Bulletin–continuing a trend for the platform, which might well point to the hardening found within Oreo. Along with those Critical vulnerabilities, comes a few marked as High. Let’s take a look at what issues are to be found in the 2018-01-01 and 2018-01-05 patches.
Check the security release on your Android device
Before we dive into what’s included with this month’s bulletin, it’s always good to know what security release is installed on your device. To no surprise, my daily driver, an Essential PH-1, is running the latest security patch (January 5, 2018). To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).
Figure A
Terminology
You will find different types of vulnerabilities listed. Possible types include:
- RCE–Remote code execution
- EoP–Elevation of privilege
- ID–Information disclosure
- DoS–Denial of service
SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF)
2018-01-01
Critical Vulnerabilities
There were four Critical vulnerabilities found in the 01-01 patch.
Media Framework
The first three vulnerabilities are to be found in the media framework. These vulnerabilities are each of the RCE type and could enable a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. The related issues are:
The final Critical vulnerability found in the 2018-01-01 patch, also of the type RCE, affects the system and could enable a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. The related issue is: A-67474440.
High Vulnerabilities
And now we drop away from the Critical vulnerabilities into the realm of issues marked High. Within this area, we find a number of encountered bugs. The first, and most severe, is within the Android Runtime. This EoP-type issue could enable a remote attacker to bypass user interaction requirements to gain access to additional permissions. The related issue is: A-68341964.
And now, the bulk of issues for the January Security Bulletin are to be found within Media Framework. There are 12 vulnerabilities marked High, which can be found DoS and EoP types. These vulnerabilities could enable a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. The related bugs (and their associated types) are:
- A-66969349–EoP
- A-67864232–EoP
- A-67737022–EoP
- A-65483324–EoP
- A-64452857–DoS
- A-64380403–DoS
- A-64380202–DoS
- A-65718319–DoS
- A-65398821–DoS
- A-63522067–DoS
- A-64784973–DoS
- A-33846679–DoS
The Android System contains three vulnerabilities marked as High. Each of those could enable a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. The related issues are:
- A-68217907–EoP
- A-67782345–EoP
- A-65174158–DoS
2018-01-05
Now we move onto 01-05 security patch level, where there was a lone Critical vulnerability and a few marked High.
Critical Vulnerabilities
The single vulnerability marked Critical is found within the Qualcomm components. As these components are closed source, details can only be found within the Qualcomm AMSS security bulletin/alert. The related issue is: A-62212946.
High Vulnerabilities
The remainder of the 01-05 security patch consists of vulnerabilities marked High. They begin with HTC components. This vulnerability is of type DoS and could enable a remote attacker to force a denial of service in a critical system process. The related issue is: A-38495900.
Next in line is the Kernel, which suffers from four vulnerabilities marked High. These issues could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. The related issues are:
- A-66694921–EoP–TCP packet processing
- A-64386293–EoP–Skcipher
- A-66954097–EoP–Ashmem
- A-68266545–ID–High-precision timers
LG components suffer a single vulnerability marked High. This EoP-type issue could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. The related issue is: A-68269077–Bootloader.
Once again, we are back at the Media Framework. A single EoP-type vulnerability that could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process has been found. The related issue is: A-38118127.
MediaTek didn’t escape scrutiny. A single EoP-type vulnerability has been discovered that could enable a local malicious application to execute arbitrary code within the context of a privileged process. The related issue is: A-38308024.
The NVIDIA driver was discovered to contain an EoP vulnerability that could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. The related issue is: A-37776156.
Finally, Qualcomm’s open source components have been found to contain two EoP-type vulnerabilities that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The related bugs are:
- CVE-2017-15849–Display
- CVE-2017-11069–Bootloader
That’s it for the critical and high vulnerabilities found in the latest security patches for Android.
Upgrade and update
The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.
Daily Tech Insider Newsletter
Stay up to date on the latest in technology with Daily Tech Insider. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that will help you stay ahead of the game.
Delivered Weekdays
