Android Security Bulletin March 2018: What you need to know

The latest Android Security Bulletin might, at first blush, paint a frightening picture. Considering there are 11 vulnerabilities marked "Critical," it might be easy to think the platform has regressed. However, when you realize the sum total of listed vulnerabilities equals the total of critical vulnerabilities in bulletins past, one quickly draws the conclusion that Android is heading into rather safe territory. Despite that fact, let's highlight some of the vulnerabilities found in the March Android Security Bulletin.

Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device. To no surprise, my daily driver, an Essential PH-1, is running the latest security patch (March 5, 2018). To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).

Figure A

Terminology

You will find different types of vulnerabilities listed. Possible types include:

• RCE—Remote code execution
• EoP—Elevation of privilege
• ID—Information disclosure
• DoS—Denial of service

SEE: Information security incident reporting policy (Tech Pro Research)

2018-03-01 security patch level

Critical Issues

There are nine issues marked Critical for March 01—four of which affect the media framework (no surprise there), four that affect the System, and one that affects a Qualcomm closed-source component. The first issues which affect the media framework are marked Critical because they could allow a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. Related bugs are (listed as Common Vulnerability and Exposure, Reference, and Type):

• CVE-2017-13248A-70349612 RCE
• CVE-2017-13249A-70399408 RCE
• CVE-2017-13250A-71375536 RCE
• CVE-2017-13251A-69269702 EoP

The four vulnerabilities that affect the System are marked Critical because they could enable a proximate hacker to execute arbitrary code within the context of a privileged process. Related bugs are:

• CVE-2017-13255A-68776054 RCE
• CVE-2017-13256A-68817966 RCE
• CVE-2017-13272A-67110137 [2] RCE
• CVE-2017-13266A-69478941 RCE

Finally, the one Qualcomm closed source component issue, details of which can only be found in the Qualcomm AMSS security bulletin, is listed as (CVE, Reference, Qualcomm Reference, Type, Component):

• CVE-2017-17773 A-70221445 QC-CR#2125554* N/A Closed-source component

That's it for Critical bugs in the March 01 patch level.

High Issues

As for vulnerabilities marked High, there are eight. The first issues that affect the media framework are marked High because they could allow a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. These bugs are:

• CVE-2017-13252A-70526702 EoP
• CVE-2017-13253A-71389378 EoP

The next four High vulnerabilities are associated with the System, and could enable a proximate attacker to execute arbitrary code within the context of a privileged process. These bugs are:

• CVE-2017-13257A-67110692 ID
• CVE-2017-13258A-67863755 ID
• CVE-2017-13259A-68161546 [2] ID
• CVE-2017-13260A-69177251 ID
• CVE-2017-13261A-69177292 ID
• CVE-2017-13262A-69271284 ID

SEE: IT pro's guide to effective patch management (free PDF) (TechRepublic)

2018-03-05 security patch level

Critical Issues

There are only two Critical vulnerabilities found within the March 05 patch level, both of which are associated with Qualcomm components. Both of these issues were marked as Critical as they could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. Related bugs are (listed as CVE, Reference, Qualcomm Reference, and Type):

• CVE-2017-18067 A-68992411 QC-CR#2081734 [2] RCE
• CVE-2017-15815 A-68992395 QC-CR#2093392 RCE

There are a few kernel components found to have High-rated vulnerabilities. These were labeled as High as they could enable a locally installed, malicious application to execute arbitrary code within the context of a privileged process. Related bugs are (listed as CVE, Reference, Type, and Component):

• CVE-2017-16530 A-69051940 EoP UAS driver
• CVE-2017-16525 A-69050921 EoP USB driver
• CVE-2017-16535 A-69052675 ID USB driver
• CVE-2017-16533 A-69052348 ID USB driver
• CVE-2017-16531 A-69052055 ID USB driver
• CVE-2017-16529 A-69051731 ID USB sound driver

NVIDIA components were found to contain two vulnerabilities marked High. Both of these could enable a locally installed, malicious application to execute arbitrary code within the context of a privileged process. These two issues are (listed as CVE, Reference, NVIDIA Reference, Type, Component):

• CVE-2017-6281 A-66969318* N-CVE-2017-6281 EoP Libnvomx
• CVE-2017-6286 A-64893247* N-CVE-2017-6286 EoP Libnvomx

Qualcomm components comprise the majority of vulnerabilities in the March Security Bulletin, most of which are marked High. The worse of these issues could enable an attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. These bugs are (listed as CVE, Reference, Qualcomm References, Type, and Component):

• CVE-2017-18068 A-70799990 QC-CR#2072064 EoP WLAN
• CVE-2017-18056 A-70237692 QC-CR#2119404 EoP WLAN
• CVE-2017-18063 A-68992442 QC-CR#2114776 EoP WLAN
• CVE-2017-18064 A-68992438 QC-CR#2114323 EoP WLAN
• CVE-2017-15821 A-68992432 QC-CR#2113072 EoP WLAN
• CVE-2017-14885 A-70237686 QC-CR#2113758 EoP WLAN
• CVE-2017-18069 A-67582682*QC-CR#2054772 QC-CR#2058471 ID WLAN
• CVE-2017-14882 A-68992424 QC-CR#2101439 ID WLAN
• CVE-2017-14878 A-70237706 QC-CR#2064580 [2] [3] DoS Wireless network driver

There is also one vulnerability, marked High, that affects a Qualcomm closed-source component. That vulnerability is (listed as CVE, Reference, Qualcomm Reference, Type, Component):

• CVE-2016-10393 A-68326806 QC-CR#1055934* N/A Closed-source component

That's it for the Critical and High vulnerabilities found in the latest security patches for Android.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also see

• Android Security Bulletin February 2018: What you need to know (TechRepublic)
  
• Android Security Bulletin January 2018: What you need to know (TechRepublic)
• Android Security Bulletin November 2017: What you need to know (TechRepublic)
• Android ransomware up more than 50%, locking users' devices until they pay (TechRepublic)
• Don't use Android pattern lock to protect secrets, researchers warn (ZDNet)