Security

Android Security Bulletin November 2017: What you need to know

The Android Security Bulletin is now broken into patch levels, making it easier to compare your device with the listing of issues. Here are the highlights from the November Android Security Bulletin.

We're back with the Android Security Bulletin. As we discovered last month, the split off of the Nexus/Pixel Bulletin brought about a marked drop in vulnerabilities listed for all other devices. Even better, it seems Google is now listing vulnerabilities associated with certain patch levels. This means you can check your security patch release on your device and then compare it to what is listed in the bulletin. This is a very welcome change.

Let's take a look at what vulnerabilities can be found for the most recent three security patch levels for Android (2017-11-01, 2017-11-05, and 2017-11-01). This, of course, becomes a bit problematic, considering your device might not be up to speed with the one of these latest security patches. By the time your device updates to the most recent patch, chances are these vulnerabilities will be fixed. This speaks more to the slower speeds at which OEMs get the security patches to devices, than it does to Google. Every Android device manufacturer on the planet needs to get this process up to speed, otherwise their users run the risk of data theft.

Check the security release on your Android device

Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device. To my surprise, my daily driver OnePlus 3 is still stuck with the September 1, 2017 security patch (this is on OnePlus, not Google). To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).

Figure A

Figure A

My OnePlus 3 with an out of date security patch.

With that out of the way, let's take a look at the vulnerabilities to be found.

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCC—Remote code execution
  • EoP—Elevation of privilege
  • ID—Information disclosure
  • DoS—Denial of service

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)

2017-11-01 Security Patch Level

Critical vulnerabilities

There were six vulnerabilities marked critical for 2017-11-01. The first five were all associated with the media framework and could enable an attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. These vulnerabilities are:

  • A-62887820—RCE
  • A-62896384—RCE
  • A-63125953—RCE
  • A-63316832—RCE
  • A-64893226—RCE

The final critical vulnerability affects the system, which could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. This vulnerability is: A-37723026—RCE.

High vulnerabilities

There are five vulnerabilities marked high. Two of which could enable a locally installed, malicious application to bypass user interaction requirements to gain additional privileges. The remaining issues could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process.

The vulnerabilities that bypass user interaction requirements are:

  • A-62623498—EoP
  • A-37442941—EoP

The vulnerabilities that allow the execution of arbitrary code within a privileged process are:

  • A-64478003—ID
  • A-62948670—ID
  • A-37502513—EoP

2017-11-05 Security Patch Level

Critical vulnerabilities

There were only three critical vulnerabilities found in the 2017-11-05 patch, each of which affect Qualcomm components. These vulnerabilities could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The vulnerabilities are:

High vulnerabilities

There were eight vulnerabilities marked high in the 2017-11-05 patch. Each of these vulnerabilities could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process.

The first two vulnerabilities affect Kernel components. These issues are:

  • A-62265013—EoP (Networking Subsystem)
  • A-64258073—EoP (WLAN)

There is a single vulnerability that affects MediaTek components. This issue is A-62670819—EoP (CCCI).

The NVIDIA GPU driver was also found to contain a high vulnerability. This issue is A-34705430—EoP.

Qualcomm was also found to contain four vulnerabilities ranked high. These issues are:

  • A-62949902—EoP (GPU driver)
  • A-36575870—EoP (QBT1000 driver)
  • A-64453575—EoP (Linux boot)
  • A-64453533—ID (Camera)

2017-11-06 Security Patch Level

There were only nine vulnerabilities listed in the 2017-11-06 Security Patch. All of these issues are marked high and could enable a nearby attacker to bypass user interaction requirements during the process of joining an unsecured Wi-Fi network. These issues are:

That's it for the critical and high vulnerabilities found in the last three security patches for Android.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also see

Image: Jack Wallen

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox