Security

Android Security Bulletin March 2018: What you need to know

The March Security Bulletin brought another rise in Critical vulnerabilities. Is it time to panic? Jack Wallen says "no." Here are the highlights from the March Android Security Bulletin.

Image: Jack Wallen

The latest Android Security Bulletin might, at first blush, paint a frightening picture. Considering there are 11 vulnerabilities marked "Critical," it might be easy to think the platform has regressed. However, when you realize the sum total of listed vulnerabilities equals the total of critical vulnerabilities in bulletins past, one quickly draws the conclusion that Android is heading into rather safe territory. Despite that fact, let's highlight some of the vulnerabilities found in the March Android Security Bulletin.

Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device. To no surprise, my daily driver, an Essential PH-1, is running the latest security patch (March 5, 2018). To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).

Figure A

Figure A

The Essential PH-1 is always on top of the security patches.

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE—Remote code execution
  • EoP—Elevation of privilege
  • ID—Information disclosure
  • DoS—Denial of service

SEE: Information security incident reporting policy (Tech Pro Research)

2018-03-01 security patch level

Critical Issues

There are nine issues marked Critical for March 01—four of which affect the media framework (no surprise there), four that affect the System, and one that affects a Qualcomm closed-source component. The first issues which affect the media framework are marked Critical because they could allow a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. Related bugs are (listed as Common Vulnerability and Exposure, Reference, and Type):

The four vulnerabilities that affect the System are marked Critical because they could enable a proximate hacker to execute arbitrary code within the context of a privileged process. Related bugs are:

Finally, the one Qualcomm closed source component issue, details of which can only be found in the Qualcomm AMSS security bulletin, is listed as (CVE, Reference, Qualcomm Reference, Type, Component):

  • CVE-2017-17773 A-70221445 QC-CR#2125554* N/A Closed-source component

That's it for Critical bugs in the March 01 patch level.

High Issues

As for vulnerabilities marked High, there are eight. The first issues that affect the media framework are marked High because they could allow a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. These bugs are:

The next four High vulnerabilities are associated with the System, and could enable a proximate attacker to execute arbitrary code within the context of a privileged process. These bugs are:

SEE: IT pro's guide to effective patch management (free PDF) (TechRepublic)

2018-03-05 security patch level

Critical Issues

There are only two Critical vulnerabilities found within the March 05 patch level, both of which are associated with Qualcomm components. Both of these issues were marked as Critical as they could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. Related bugs are (listed as CVE, Reference, Qualcomm Reference, and Type):

There are a few kernel components found to have High-rated vulnerabilities. These were labeled as High as they could enable a locally installed, malicious application to execute arbitrary code within the context of a privileged process. Related bugs are (listed as CVE, Reference, Type, and Component):

  • CVE-2017-16530 A-69051940 EoP UAS driver
  • CVE-2017-16525 A-69050921 EoP USB driver
  • CVE-2017-16535 A-69052675 ID USB driver
  • CVE-2017-16533 A-69052348 ID USB driver
  • CVE-2017-16531 A-69052055 ID USB driver
  • CVE-2017-16529 A-69051731 ID USB sound driver

NVIDIA components were found to contain two vulnerabilities marked High. Both of these could enable a locally installed, malicious application to execute arbitrary code within the context of a privileged process. These two issues are (listed as CVE, Reference, NVIDIA Reference, Type, Component):

  • CVE-2017-6281 A-66969318* N-CVE-2017-6281 EoP Libnvomx
  • CVE-2017-6286 A-64893247* N-CVE-2017-6286 EoP Libnvomx

Qualcomm components comprise the majority of vulnerabilities in the March Security Bulletin, most of which are marked High. The worse of these issues could enable an attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. These bugs are (listed as CVE, Reference, Qualcomm References, Type, and Component):

There is also one vulnerability, marked High, that affects a Qualcomm closed-source component. That vulnerability is (listed as CVE, Reference, Qualcomm Reference, Type, Component):

  • CVE-2016-10393 A-68326806 QC-CR#1055934* N/A Closed-source component

That's it for the Critical and High vulnerabilities found in the latest security patches for Android.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox