Mobility

Android Security Bulletin July 2017: What you need to know

July brought to a drastic reduction in critical-level vulnerabilities found in Android. Get the highlights.

Image: Jack Wallen

The July Android Security Bulletin introduced a pretty severe issue with the Broadcom Wi-Fi chipset as well as the media framework getting hit with a few critical bugs. Let's take a look at the highlights, so you can begin to understand why it's so important to keep your device regularly updated.

SEE: Guidelines for building security policies (Tech Pro Research)

Check the security release on your Android device

Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device.

To my surprise, my daily driver OnePlus 3 is still running the May 1, 2017 Security Patch. To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).

Figure A

Figure A

OnePlus 3 running the May 2017 Security Patch.

Now let's look at the vulnerabilities affecting the Android platform.

Critical Issues

Broadcom components

The first issue we must highlight effects the Broadcom Wi-Fi chipset. This particular vulnerability can cause millions of mobile devices to be open to remote hacking and would allow a nearby attacker to execute arbitrary code within the context of the kernel. This vulnerability has been dubbed BroadPwn and can be found in the Broadcom BCM43xx family of Wi-Fi chipsets. This will affect HTC, LG, Nexus and nearly the full range of Samsung flagship devices. Because of the possibility of remote hijacking of a device, via the Broadcom Wi-Fi chipset, this issue has been rated critical.

Related bug: CVE-2017-9417

SEE: Mobile devices with Broadcom chipsets may be vulnerable to Wi-Fi hijacking

Media Framework

What would a month be without a critical issue found within the media framework? This time around there are 10 critical bugs found with this particular framework that could enable a remote attacker, using a specially crafted file, to execute arbitrary code within the context of a privileged process. Because of the possibility of remote code execution, this issue has been rated as critical.

Related bugs: CVE-2017-0540, CVE-2017-0673, CVE-2017-0674, CVE-2017-0675, CVE-2017-0676, CVE-2017-0677, CVE-2017-0678, CVE-2017-0679, CVE-2017-0680, CVE-2017-0681.

Interestingly enough, that's it for the critical vulnerabilities.

High Issues

There are a number of vulnerabilities marked high. They include the following.

Kernel components

Two issues were found within the kernel that could enable malicious applications to execute arbitrary code within the context of a privileged process. The two issues that were marked as high were both found with the Networking Subsystem.

Related bugs: CVE-2017-6074, CVE-2017-5970

NVIDIA components

A buffer overflow issue, that affects an unknown function within the NVIDIA libnvparser component, was discovered. This vulnerability could enable a local malicious application to execute arbitrary code within the context of a privileged process, giving it access it clearly shouldn't have.

Related bug: CVE-2017-0340

There were also a number of Qualcomm vulnerabilities listed as high and moderate. However, most of these issues have already been resolved, thanks to Qualcomm.

Quality, not quantity

Don't let the small number of issues fool you; the Broadcomm Wi-Fi vulnerability alone should give you enough reason to be checking for updates on a daily basis. If you're in the same situation as am I, your device's patch level is uncomfortably behind.

Other than that, the July Security Bulletin offered us a nice respite from the massive listing of vulnerabilities we've seen of late.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

To see the full listing of vulnerabilities, check out the full July 2017 Android Security Bulletin.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox