Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Patches More Critical Flaws in Android Mediaserver

Google this week announced the contents of the May 2017 Android security patches, revealing that six Critical Remote Code Execution (RCE) flaws were addressed in the Mediaserver component.

Google this week announced the contents of the May 2017 Android security patches, revealing that six Critical Remote Code Execution (RCE) flaws were addressed in the Mediaserver component.

Over the past couple of years, Mediaserver emerged as one of the most vulnerable Android components, after a Critical RCE bug dubbed Stagefright was said to affect 950 million devices. Detailed in July 2015, the vulnerability encouraged Google to issue monthly security updates for Android.

A second Stagefright flaw was resolved only months later, and Google addressed numerous other vulnerabilities in Mediaserver over the nearly two years of regular patches. The company even decided to re-architect Mediaserver with the release of Android 7.0 Nougat in August last year, but security researchers continue to find vulnerabilities in the component.

Published on Monday, Google’s Android Security Bulletin for May 2017 was divided into two patch levels: the 2017-05-01 partial security patch level string, which addresses 20 flaws, and the 2017-05-05 complete security patch level string, which addresses 98 issues. None of the vulnerabilities has been exploited or abused in live attacks, Google’s advisory reveals.

The six Critical issues in Mediaserver, resolved in the 2017-05-01 patch level string, could enable remote code execution on affected devices through multiple methods, including email, web browsing, and MMS when processing media files. The bugs impact numerous platform versions, including Android 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, and 7.1.2.

The patch level also addresses three High-risk Elevation of privilege (EoP) and four Denial of service (DoS) (two High, one Moderate, and one Low severity) vulnerabilities in the Mediaserver component.

The remaining 7 issues include two High risk bugs in Framework APIs (one EoP and one Information disclosure), a High severity EoP in Audioserver, a Medium risk EoP in Bluetooth, and three Moderate severity Information disclosure vulnerabilities (in File-Based Encryption, Bluetooth, and OpenSSL & BoringSSL).

The 2017-05-05 security patch string resolves 23 Critical bugs, 59 High severity issues, and 16 Moderate risk flaws. All of the vulnerabilities addressed in the previous strings are also resolved in this patch level, Google notes.

The 23 Critical bugs included an RCE in GIFLIB, 8 EoPs in MediaTek touchscreen driver, Qualcomm bootloader, kernel sound subsystem, Motorola bootloader, NVIDIA video driver, Qualcomm power driver, kernel trace subsystem, and 14 various vulnerabilities in Qualcomm components.

Of the 59 High severity issues, 14 were various bugs in Qualcomm components; one RCE in libxml2; 40 EoPs in MediaTek drivers, Qualcomm drivers, kernel subsystems (performance and networking), Goodix touchscreen driver, and HTC bootloader; 3 Information disclosure flaws in MediaTek command queue driver and Qualcomm Wi-Fi and crypto engine drivers; and one DoS in Qualcomm Wi-Fi driver.

All of the 16 Moderate severity vulnerabilities were Information disclosure bugs, affecting kernel UVC driver and kernel trace subsystem, Qualcomm drivers (video, power, LED, shared memory, sound codec, camera, sound, SPCom), Broadcom Wi-Fi driver, and Synaptics touchscreen driver.

“The most interesting piece of the May Android patches is that Google fixed six issues affecting Mediaserver, all with critical severity indicating the potential for remote code execution. What is not clearly stated is whether the mitigations added into the Android 7.0 release might actually prevent an attacker from exploiting the bugs,” Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team (VERT), told SecurityWeek in an emailed comment.

“With Android 7.0, Google has revamped the Mediaserver component by moving risky parsing code into unprivileged sandboxes and by enabling Undefined Behavior Sanitizer (UBSAN) to prevent exploitation of the most common bug classes found in this component. It would be nice to see Google release more detailed bulletins indicating the impact of various vulnerabilities specifically to the different Android versions.

“It is also good to see that Google’s telemetry through SafetyNet did not reveal any active customer exploitation of any flaws fixed in the May update,” Young concluded.

Related: Google Patches 35 Critical Android Vulnerabilities

Related: Google Patches 22 Critical Android Vulnerabilities

Related: Android 7.0 Packs Re-Architected Mediaserver, Other Security Enhancements

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.