Qualcomm components were crushed in the June 2017 Android Security Bulletin with 26 Critical bugs. Beyond that, Android fared fairly well, with only two Critical issues. Let's look at the highlights about the Qualcomm components, as detailed in the June 2017 Android Security Bulletin.
SEE: Guidelines for building security policies (Tech Pro Research)
Check the security release on your Android device
Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device.
Of the Android devices I use regularly, the Verizon-branded Nexus 6 (running Android 7.0) and the OnePlus 3 (running Android 7.1.1) are now only one patch behind—they're running the May 2017 security patch (Figure A).
Now let's look at the vulnerabilities affecting the Android platform.
SEE: Free ebook—Cybersecurity in an IoT and mobile world (TechRepublic)
Qualcomm Critical issues
Qualcomm has quite a bit of patching to do for the Android platform. These vulnerabilities are described in the Qualcomm AMSS security bulletins from 2014-2016, so some of these issues are long-standing.
The fixes and the descriptions are only available directly from Qualcomm and the critical bugs, which affect closed source components, are as follows:
QC-CR#381837, QC-CR#581093, QC-CR#642173, QC-CR#739110, QC-CR#748397, QC-CR#748407, QC-CR#762111, QC-CR#762182, QC-CR#758752, QC-CR#762167, QC-CR#740680, QC-CR#746617, QC-CR#814373, QC-CR#855220, QC-CR#701858, QC-CR#827837, QC-CR#987699, QC-CR#973605, QC-CR#947438, QC-CR#991476, QC-CR#961142, QC-CR#989028, QC-CR#949933, QC-CR#988502, QC-CR#1020465, QC-CR#1058511, QC-CR#552880
Oh wait, there's more! There is also a Critical issue affecting the Qualcomm Bluetooth driver that could enable a proximity attacker to execute arbitrary code within the kernel. That bug is QC-CR#1101054.
Qualcomm High issues
There are Qualcomm issues marked as High:
You will also find a lot of bugs labeled High that affect Qualcomm closed-source components. Those bugs are:
QC-CR#552880, QC-CR#622701, QC-CR#638984, QC-CR#656267, QC-CR#657771, QC-CR#651900, QC-CR#680778, QC-CR#711585, QC-CR#727398, QC-CR#739802, QC-CR#733455, QC-CR#735148, QC-CR#743985, QC-CR#736146, QC-CR#762764, QC-CR#866015, QC-CR#873202, QC-CR#892541, QC-CR#854667, QC-CR#906713,QC-CR#917701, QC-CR#917702, QC-CR#977632, QC-CR#988941
Qualcomm Moderate issues
The Moderate issues gave the Critical issues a run for their money. The current list of Moderate vulnerabilities includes:
- Video driver: QC-CR#1103510, QC-CR#1113926, QC-CR#2006159, QC-CR#1110068, QC-CR#1090244
- Sound driver: QC-CR#1105441, QC-CR#1103085
- MStar touchscreen driver: QC-CR#1110563
- Camera driver: QC-CR#2004036, QC-CR#832920, QC-CR#1083323, QC-CR#1091603
- IPA driver: QC-CR#2009606
- Networking driver: QC-CR#1110522
- Secure execution environment communication driver: QC-CR#2009231
- Pin controller driver: QC-CR#856379
The onus is on Qualcomm
Because so many of these bugs affect closed-source components, the onus is on Qualcomm to resolve the vulnerabilities. Until that is complete, these bugs will continue to plague Android. Considering some of these bugs date back to 2014, my guess is that the manufacturer isn't exactly chomping at the bit to fix the problems.
Does that mean your Android device is riddled with issues? Although it may seem so, I wouldn't toss those devices in the garbage. Some of these issues date back to older releases of Android, which means if you're running an up-to-date version of the platform, you will be fine. However, it would behoove you (for more reasons than merely the Qualcomm vulnerabilities) to regularly update Android and all installed apps. Do this daily, so you can be sure your mobile device is as secure as possible.
SEE: 3 simple steps to avoid ransomware on Android (TechRepublic)
Upgrade and update
The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.
To see the full listing of vulnerabilities, which includes a number of issues beyond those affecting Qualcomm components, check out the June 2017 Android Security Bulletin.
- Android Security Bulletin April 2017: What you need to know (TechRepublic)
- Android Security Bulletin March 2017: What you need to know (TechRepublic)
- Android ransomware up more than 50%, locking users' devices until they pay (TechRepublic)
- Don't use Android pattern lock to protect secrets, researchers warn (ZDNet)
- Android Security Bulletin February 2017: What you need to know (TechRepublic)
- Android Security Bulletin January 2017: What you need to know (TechRepublic)
- Android Security Bulletin December 2016: What you need to know (TechRepublic)
- Android Security Bulletin November 2016: What you need to know (TechRepublic)
- Android Security Bulletin October 2016: What you need to know (TechRepublic)
- Android Security Bulletin August 2016: What you need to know (TechRepublic)
- Android June 2016 Security Bulletin: What you need to know (TechRepublic)
- Android Security Update May 2016: What you need to know (TechRepublic)
- Android Security Update April 2016: What you need to know (TechRepublic)
- Android Security Update March 2016: What you need to know (TechRepublic)
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.