Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Patches 81 Android Vulnerabilities With September 2017 Updates

A total of 81 security vulnerabilities have been addressed in this month’s set of security patches for the Android platform. 13 of the flaws were rated Critical severity.

The security bulletin has two security patch levels, each focused on addressing vulnerabilities in specific components. 

A total of 81 security vulnerabilities have been addressed in this month’s set of security patches for the Android platform. 13 of the flaws were rated Critical severity.

The security bulletin has two security patch levels, each focused on addressing vulnerabilities in specific components. 

The 2017-09-01 security patch level fixes a total of 30 vulnerabilities, 10 of which are rated Critical severity, 15 High risk, and 5 Medium severity. Affected Android iterations range from version 4.4.4 to 8.0, but only some vulnerabilities impact all platform releases.

The most affected component was media framework, with 24 vulnerabilities addressed in it, including 10 rated Critical severity, all remote code execution flaws. 10 other bugs were rated High risk, including one remote code execution, 4 elevation of privilege, and 5 denial of service issues.

The remaining 4 bugs are considered Moderate risk. Three of them, however, have a Medium risk rating only when affecting Android versions 7.0, 7.1.1, 7.1.2, or 8.0. When impacting platform releases older than 7.0, they are considered High severity, Google’s advisory reads.

As part of the 2017-09-01 security patch level, Google also addressed a High risk elevation of privilege flaw in Framework, three High risk (2 remote code execution and one elevation of privilege) issues in Libraries, one High severity denial of service bug in Runtime, and one Moderate elevation of privilege bug in System.

Tracked as CVE-2017-0780, the denial of service vulnerability in Runtime affects Nexus and Pixel devices and allows an attacker to remotely crash a victim’s Android Messages app by sending a malformed multimedia message (MMS), Trend Micro reveals. If the bug is triggered, the app can’t recover even if the device is rebooted.

The bug resides in unhandled, Java-level Null Pointer Exceptions (NPEs) in the process of parsing Graphic Interface Format (GIF) files in the messaging app. An attacker looking to exploit the bug needs to know the phone number of the victim they want to send the malicious GIF to.

Advertisement. Scroll to continue reading.

A total of 51 vulnerabilities were resolved as part of the 2017-09-05 security patch level, but only three of them were rated Critical.

Qualcomm components emerge as the most impacted, with 21 vulnerabilities resolved in them, including 1 Critical remote code execution bug, 4 High risk flaws (1 information disclosure and 3 elevation of privilege), and 16 Moderate severity bugs (11 elevation of privilege and 5 information disclosure).

A total of 8 vulnerabilities were addressed in Broadcom components, including a Critical remote code execution bug, a High severity elevation of privilege issue, and five Moderate flaws (4 elevation of privilege and 1 information disclosure). Only one High severity information disclosure bug was addressed in Imgtk components.

The 2017-09-05 security patch level also resolves 11 flaws in Kernel components, including 1 Critical remote code execution, 7 High risk issues (3 elevation of privilege, 3 information disclosure and 1 denial of service), and 3 Moderate bugs (2 elevation of privilege and 1 information disclosure).

As part of this month’s set of patches, 10 vulnerabilities were resolved in MediaTek components, including 7 High risk bugs and 3 Medium severity. All of these flaws were elevation of privilege issues.

All Google devices will receive the 2017-09-05 security patch level, which addresses all vulnerabilities included in that patch string level and the previous patch string levels. However, the patches will be delivered to these devices as part of the upgrade to Android 8.0 Oreo, Google said.

Related: Google Patches Critical Vulnerabilities in Android

Related: Google Patches More Critical Flaws in Android Mediaserver

 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.