Android

Android Security Bulletin October 2017: What you need to know

Android has seen a drastic drop in vulnerabilities. Here are the highlights from the October Android Security Bulletin.

Image: Jack Wallen

The Android Security Bulletin has undergone yet another change. This time around, Android has split off the Pixel and Nexus into their own listing. If you happen to own one of those devices, make sure to check out the Pixel/Nexus Security Bulletin. With that said, it seems the issues plaguing the standard Android Security Bulletin have calmed down quite a bit. Yes, you'll find the usual suspects of Critical, High, and Moderate vulnerabilities, just not nearly as many. This drop in vulnerabilities could be due to the the separation of Android and Nexus/Pixel into their own bulletin. Regardless of why, let's take a look at the issues that currently haunt Android.

Check the security release on your Android device

Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device. To my surprise, my daily driver OnePlus 3 is still stuck with the August 1, 2017 security patch. To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).

Figure A

Figure A

My OnePlus 3 with an out of date security patch.

And now, what's up with the October Security Bulletin?

Critical issues

There are only five critical issues listed in the October bulletin. These issues are as follows:

Media Framework

The Android Security Bulletin wouldn't be the same without the Media Framework being involved. There are three bugs marked Critical, each of which are of the Remote Code Execution (RCE) type. These are labeled as Critical, as they could enable a remote attacker, using a specially crafted malicious file, to execute arbitrary code within the context of a privileged process. Related bugs include:

Qualcomm Components

There are two vulnerabilities marked as Critical, that affect Qualcomm components. These issues are also of the RCE variety and could enable an attacker, using a specially crafted malicious file, to execute arbitrary code within the context of a privileged process. Related bugs include:

Believe it or not, that's it for Critical vulnerabilities.

High issues

Framework

There is an Elevation of Privilege (EoP) vulnerability found in the Android framework, that could enable a local malicious application to bypass user interaction requirements and gain access to additional privileges. The one related bug is:

A-62998805

Media Framework

The Media framework includes a single EoP issue, marked as high, which could enable a local malicious application to gain access to additional privileges. The related bug is:

A-62873231

System

Within the Android System, a single Remote Code Execution vulnerability has been marked High. This RCE issue could enable a proximate hacker to execute arbitrary code within the context of a privileged process. The related issue is:

A-64575136

Kernel components

There are two Elevation of Privilege issues found within the kernel. These two bugs are marked High, as they could enable a local malicious application to execute code within the context of a privileged process. The related bugs (both affecting the upstream kernel) are:

  • A-37866910
  • A-62298712

That's all for Critical and High issues within the context of the October Android Security bulletin. It's a slow month leading into a holiday season that will probably see a rise in Android device purchases. Here's hoping that elevation of consumerism doesn't equate to an elevation of vulnerabilities.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox