Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Patches 81 Android Vulnerabilities With September 2017 Updates

A total of 81 security vulnerabilities have been addressed in this month’s set of security patches for the Android platform. 13 of the flaws were rated Critical severity.

The security bulletin has two security patch levels, each focused on addressing vulnerabilities in specific components. 

A total of 81 security vulnerabilities have been addressed in this month’s set of security patches for the Android platform. 13 of the flaws were rated Critical severity.

The security bulletin has two security patch levels, each focused on addressing vulnerabilities in specific components. 

The 2017-09-01 security patch level fixes a total of 30 vulnerabilities, 10 of which are rated Critical severity, 15 High risk, and 5 Medium severity. Affected Android iterations range from version 4.4.4 to 8.0, but only some vulnerabilities impact all platform releases.

The most affected component was media framework, with 24 vulnerabilities addressed in it, including 10 rated Critical severity, all remote code execution flaws. 10 other bugs were rated High risk, including one remote code execution, 4 elevation of privilege, and 5 denial of service issues.

The remaining 4 bugs are considered Moderate risk. Three of them, however, have a Medium risk rating only when affecting Android versions 7.0, 7.1.1, 7.1.2, or 8.0. When impacting platform releases older than 7.0, they are considered High severity, Google’s advisory reads.

As part of the 2017-09-01 security patch level, Google also addressed a High risk elevation of privilege flaw in Framework, three High risk (2 remote code execution and one elevation of privilege) issues in Libraries, one High severity denial of service bug in Runtime, and one Moderate elevation of privilege bug in System.

Tracked as CVE-2017-0780, the denial of service vulnerability in Runtime affects Nexus and Pixel devices and allows an attacker to remotely crash a victim’s Android Messages app by sending a malformed multimedia message (MMS), Trend Micro reveals. If the bug is triggered, the app can’t recover even if the device is rebooted.

Advertisement. Scroll to continue reading.

The bug resides in unhandled, Java-level Null Pointer Exceptions (NPEs) in the process of parsing Graphic Interface Format (GIF) files in the messaging app. An attacker looking to exploit the bug needs to know the phone number of the victim they want to send the malicious GIF to.

A total of 51 vulnerabilities were resolved as part of the 2017-09-05 security patch level, but only three of them were rated Critical.

Qualcomm components emerge as the most impacted, with 21 vulnerabilities resolved in them, including 1 Critical remote code execution bug, 4 High risk flaws (1 information disclosure and 3 elevation of privilege), and 16 Moderate severity bugs (11 elevation of privilege and 5 information disclosure).

A total of 8 vulnerabilities were addressed in Broadcom components, including a Critical remote code execution bug, a High severity elevation of privilege issue, and five Moderate flaws (4 elevation of privilege and 1 information disclosure). Only one High severity information disclosure bug was addressed in Imgtk components.

The 2017-09-05 security patch level also resolves 11 flaws in Kernel components, including 1 Critical remote code execution, 7 High risk issues (3 elevation of privilege, 3 information disclosure and 1 denial of service), and 3 Moderate bugs (2 elevation of privilege and 1 information disclosure).

As part of this month’s set of patches, 10 vulnerabilities were resolved in MediaTek components, including 7 High risk bugs and 3 Medium severity. All of these flaws were elevation of privilege issues.

All Google devices will receive the 2017-09-05 security patch level, which addresses all vulnerabilities included in that patch string level and the previous patch string levels. However, the patches will be delivered to these devices as part of the upgrade to Android 8.0 Oreo, Google said.

Related: Google Patches Critical Vulnerabilities in Android

Related: Google Patches More Critical Flaws in Android Mediaserver


Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...