Released on Tuesday, Google’s first Android Security Bulletin for 2017 patches a total of 95 vulnerabilities in the operating system, 22 of which were rated Critical severity. Over half (50) of the bugs addressed this month were Elevation of privilege flaws.
As the process has been over the past several months, January’s security bulletin is split in two, making it easier for device manufacturers to implement patches: the 2017-01-01 security patch level resolves 23 issues that affect various Android components, while the 2017-01-05 security patch level addresses 72 bugs affecting drivers and other ODM software and which impact Nexus and Pixel devices too.
Of the 22 vulnerabilities assessed with a Critical severity rating, a Remote code execution flaw (CVE-2017-0381) was resolved in Mediaserver, one of the most impacted Android components. Ever since Google kicked off the monthly patch program in the summer of 2015, various Critical issues were found in Mediaserver, starting with Stagefright, which was followed by a second Stagefright vulnerability only several months later.
The remaining 21 Critical flaws patched this month include Elevation of privilege issues affecting the kernel memory subsystem, Qualcomm bootloader, kernel file system, NVIDIA GPU driver, MediaTek driver, Qualcomm GPU driver, and Qualcomm video driver. Three other Critical vulnerabilities were patched in various Qualcomm components, Google’s advisory reveals.
While only one of the 23 vulnerabilities addressed in the 2017-01-01 security patch level was rated Critical, 14 of them were rated High severity. These included Remote code execution bugs in c-ares and Framesequence; Elevation of privilege vulnerabilities in Framework APIs, Audioserver, libnl, and Mediaserver; an Information disclosure vulnerability in External Storage Provider; and Denial of service flaws in core networking, Mediaserver, and Telephony.
Eight of the bugs resolved by this security patch level were Medium risk: an Elevation of privilege vulnerability in Contacts, two Information disclosure vulnerabilities in Mediaserver, and five Information disclosure issues in Audioserver.
Of the 72 vulnerabilities addressed in the 2017-01-05 security patch level, 18 were the aforementioned Critical Elevation of privilege flaws, 3 were Critical bugs in Qualcomm components, 33 were High risk flaws in various drivers and components, and 18 were considered Medium severity.
While six of the High risk flaws were addressed in Qualcomm components, 22 were Elevation of privilege issues affecting Qualcomm camera, MediaTek components, Qualcomm Wi-Fi driver, NVIDIA GPU driver, Qualcomm sound driver, Synaptics touchscreen driver, kernel security subsystem, kernel performance subsystem, kernel sound subsystem, Qualcomm Wi-Fi driver, Qualcomm radio driver, kernel profiling subsystem and Broadcom Wi-Fi driver.
The remaining five High risk flaws include Information disclosure vulnerabilities in NVIDIA video driver and bootloader, as well as Denial of service vulnerabilities in Qualcomm FUSE file system and bootloader.
The Medium risk bugs addressed in the 2017-01-05 security patch level include Elevation of privilege vulnerabilities in Broadcom Wi-Fi driver, bootloader, and Binder; Information disclosure vulnerabilities in NVIDIA camera driver, MediaTek driver, STMicroelectronics driver, Qualcomm audio post processor, and HTC input driver, a Denial of service vulnerability in kernel file system, and another flaw in Qualcomm components.
According to Google, a security patch level of 2017-01-05 or later must address all of the 2017-01-01 issues as well. Supported Google devices are set to receive a single over the air update with the January 5, 2017 security patch level.