Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Patches 35 Critical Android Vulnerabilities

Google this week released a new set of monthly security patches for Android to address over 100 vulnerabilities in the platform, 35 of which carry a Critical severity rating.

Google this week released a new set of monthly security patches for Android to address over 100 vulnerabilities in the platform, 35 of which carry a Critical severity rating.

In a newly published Security Bulletin, Google reveals that two partial security patch level strings are rolling out this month: the 2017-03-01 security patch level to resolve 36 vulnerabilities (11 Critical, 15 High, 9 Moderate, 1 Low), and the 2017-03-05 security patch level to address 71 flaws (24 Critical, 32 High, 14 Moderate, 1 Low).

The 11 Critical flaws resolved with the 2017-03-01 security patch level include nine Remote Code Execution (RCE) issues in Mediaserver; one RCE in OpenSSL & BoringSSL; and an Elevation of privilege (EoP) vulnerability in recovery verifier.

The 15 vulnerabilities rated High included three RCE bugs in AOSP Messaging, libgdx, and Framesequence library; two EoP issues in Audioserver; one EoP in NFC; and nine Denial of Service (DoS) vulnerabilities in Mediaserver.

The Medium risk flaws include EoP issues in Location Manager, Wi-Fi, Package Manager, and System UI; Information disclosure vulnerabilities in AOSP Messaging and Mediaserver; and DoS bugs in Setup Wizard and Mediaserver. The Low severity issue addressed in 2017-03-01 security patch level is a DoS vulnerability in Audioserver.

The 24 Critical risk issue resolved in 2017-03-05 security patch level include 19 EoP vulnerabilities (seven in MediaTek components, five in NVIDIA GPU driver, two in kernel ION subsystem, one in Broadcom Wi-Fi driver, one in kernel FIQ debugger, one in Qualcomm GPU driver, and two in kernel networking subsystem) and 5 various vulnerabilities in Qualcomm components. 

Elevation of privilege issues clearly dominated the patch level, given that 25 rated High severity were addressed as well. They affected kernel networking subsystem, Qualcomm input hardware driver, MediaTek Hardware Sensor Driver, Qualcomm ADSPRPC driver, Qualcomm fingerprint sensor driver, Qualcomm crypto engine driver, Qualcomm camera driver, MediaTek APK, Qualcomm Wi-Fi driver, Synaptics touchscreen driver, Qualcomm IPA driver, HTC Sensor Hub Driver, NVIDIA GPU driver, Qualcomm networking driver, kernel security subsystem, and Qualcomm SPCom driver.

Six of the remaining High risk issues addressed in 2017-03-05 security patch level are Information disclosure vulnerabilities (affecting kernel networking subsystem, MediaTek driver, Qualcomm bootloader, Qualcomm power driver, NVIDIA GPU driver), while the last one is a Denial of service vulnerability in kernel cryptographic subsystem.

The Moderate risk flaws addressed in this patch level include an EoP in Qualcomm camera driver (device specific), and 13 Information disclosure bugs (in Qualcomm Wi-Fi driver, MediaTek video codec driver, Qualcomm video driver, Qualcomm camera driver, HTC sound codec driver, Synaptics touchscreen driver, and kernel USB gadget driver). The Low severity bug was an Information disclosure vulnerability in Qualcomm camera driver.

All of the above issues should be addressed by security patch levels of 2017-03-05 or later, Google notes on its advisory. The company already started pushing an over-the-air update to Google Devices (Android One, Nexus, and Pixel devices) with the March 05, 2017 security patch level.

Related: Google Patches 22 Critical Android Vulnerabilities

Related: Google Patches 74 Vulnerabilities in Android

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.