Google Patches 35 Critical Android Vulnerabilities

Google this week released a new set of monthly security patches for Android to address over 100 vulnerabilities in the platform, 35 of which carry a Critical severity rating.

In a newly published Security Bulletin, Google reveals that two partial security patch level strings are rolling out this month: the 2017-03-01 security patch level to resolve 36 vulnerabilities (11 Critical, 15 High, 9 Moderate, 1 Low), and the 2017-03-05 security patch level to address 71 flaws (24 Critical, 32 High, 14 Moderate, 1 Low).

The 11 Critical flaws resolved with the 2017-03-01 security patch level include nine Remote Code Execution (RCE) issues in Mediaserver; one RCE in OpenSSL & BoringSSL; and an Elevation of privilege (EoP) vulnerability in recovery verifier.

The 15 vulnerabilities rated High included three RCE bugs in AOSP Messaging, libgdx, and Framesequence library; two EoP issues in Audioserver; one EoP in NFC; and nine Denial of Service (DoS) vulnerabilities in Mediaserver.

The Medium risk flaws include EoP issues in Location Manager, Wi-Fi, Package Manager, and System UI; Information disclosure vulnerabilities in AOSP Messaging and Mediaserver; and DoS bugs in Setup Wizard and Mediaserver. The Low severity issue addressed in 2017-03-01 security patch level is a DoS vulnerability in Audioserver.

The 24 Critical risk issue resolved in 2017-03-05 security patch level include 19 EoP vulnerabilities (seven in MediaTek components, five in NVIDIA GPU driver, two in kernel ION subsystem, one in Broadcom Wi-Fi driver, one in kernel FIQ debugger, one in Qualcomm GPU driver, and two in kernel networking subsystem) and 5 various vulnerabilities in Qualcomm components. 

Elevation of privilege issues clearly dominated the patch level, given that 25 rated High severity were addressed as well. They affected kernel networking subsystem, Qualcomm input hardware driver, MediaTek Hardware Sensor Driver, Qualcomm ADSPRPC driver, Qualcomm fingerprint sensor driver, Qualcomm crypto engine driver, Qualcomm camera driver, MediaTek APK, Qualcomm Wi-Fi driver, Synaptics touchscreen driver, Qualcomm IPA driver, HTC Sensor Hub Driver, NVIDIA GPU driver, Qualcomm networking driver, kernel security subsystem, and Qualcomm SPCom driver.

Six of the remaining High risk issues addressed in 2017-03-05 security patch level are Information disclosure vulnerabilities (affecting kernel networking subsystem, MediaTek driver, Qualcomm bootloader, Qualcomm power driver, NVIDIA GPU driver), while the last one is a Denial of service vulnerability in kernel cryptographic subsystem.

The Moderate risk flaws addressed in this patch level include an EoP in Qualcomm camera driver (device specific), and 13 Information disclosure bugs (in Qualcomm Wi-Fi driver, MediaTek video codec driver, Qualcomm video driver, Qualcomm camera driver, HTC sound codec driver, Synaptics touchscreen driver, and kernel USB gadget driver). The Low severity bug was an Information disclosure vulnerability in Qualcomm camera driver.

All of the above issues should be addressed by security patch levels of 2017-03-05 or later, Google notes on its advisory. The company already started pushing an over-the-air update to Google Devices (Android One, Nexus, and Pixel devices) with the March 05, 2017 security patch level.

Related: Google Patches 22 Critical Android Vulnerabilities

Related: Google Patches 74 Vulnerabilities in Android