Android Security Bulletin June 2017: What you need to know

It was a bad month for Qualcomm components in the Android Security Bulletin. Get the highlights.

3 ways to avoid ransomware on Android

Qualcomm components were crushed in the June 2017 Android Security Bulletin with 26 Critical bugs. Beyond that, Android fared fairly well, with only two Critical issues. Let's look at the highlights about the Qualcomm components, as detailed in the June 2017 Android Security Bulletin.

SEE: Guidelines for building security policies (Tech Pro Research)

Check the security release on your Android device

Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device.

Of the Android devices I use regularly, the Verizon-branded Nexus 6 (running Android 7.0) and the OnePlus 3 (running Android 7.1.1) are now only one patch behind--they're running the May 2017 security patch (Figure A).

Figure A

Figure A

OnePlus 3 running the May 2017 security patch.

Now let's look at the vulnerabilities affecting the Android platform.

SEE: Free ebook--Cybersecurity in an IoT and mobile world (TechRepublic)

Image: Jack Wallen

Qualcomm Critical issues

Qualcomm has quite a bit of patching to do for the Android platform. These vulnerabilities are described in the Qualcomm AMSS security bulletins from 2014-2016, so some of these issues are long-standing.

The fixes and the descriptions are only available directly from Qualcomm and the critical bugs, which affect closed source components, are as follows:

QC-CR#381837, QC-CR#581093, QC-CR#642173, QC-CR#739110, QC-CR#748397, QC-CR#748407, QC-CR#762111, QC-CR#762182, QC-CR#758752, QC-CR#762167, QC-CR#740680, QC-CR#746617, QC-CR#814373, QC-CR#855220, QC-CR#701858, QC-CR#827837, QC-CR#987699, QC-CR#973605, QC-CR#947438, QC-CR#991476, QC-CR#961142, QC-CR#989028, QC-CR#949933, QC-CR#988502, QC-CR#1020465, QC-CR#1058511, QC-CR#552880

Oh wait, there's more! There is also a Critical issue affecting the Qualcomm Bluetooth driver that could enable a proximity attacker to execute arbitrary code within the kernel. That bug is QC-CR#1101054.

Qualcomm High issues

There are Qualcomm issues marked as High:

You will also find a lot of bugs labeled High that affect Qualcomm closed-source components. Those bugs are:

QC-CR#552880, QC-CR#622701, QC-CR#638984, QC-CR#656267, QC-CR#657771, QC-CR#651900, QC-CR#680778, QC-CR#711585, QC-CR#727398, QC-CR#739802, QC-CR#733455, QC-CR#735148, QC-CR#743985, QC-CR#736146, QC-CR#762764, QC-CR#866015, QC-CR#873202, QC-CR#892541, QC-CR#854667, QC-CR#906713,QC-CR#917701, QC-CR#917702, QC-CR#977632, QC-CR#988941

Qualcomm Moderate issues

The Moderate issues gave the Critical issues a run for their money. The current list of Moderate vulnerabilities includes:

The onus is on Qualcomm

Because so many of these bugs affect closed-source components, the onus is on Qualcomm to resolve the vulnerabilities. Until that is complete, these bugs will continue to plague Android. Considering some of these bugs date back to 2014, my guess is that the manufacturer isn't exactly chomping at the bit to fix the problems.

Does that mean your Android device is riddled with issues? Although it may seem so, I wouldn't toss those devices in the garbage. Some of these issues date back to older releases of Android, which means if you're running an up-to-date version of the platform, you will be fine. However, it would behoove you (for more reasons than merely the Qualcomm vulnerabilities) to regularly update Android and all installed apps. Do this daily, so you can be sure your mobile device is as secure as possible.

SEE: 3 simple steps to avoid ransomware on Android (TechRepublic)

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

To see the full listing of vulnerabilities, which includes a number of issues beyond those affecting Qualcomm components, check out the June 2017 Android Security Bulletin.

Also see

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic, The New Stack, and Linux New Media. He's covered a variety of topics for over twenty years and is an avid promoter of open source. For more news about Jack Wallen, visit his website jackwallen....