Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches Multiple Critical, High Risk Vulnerabilities in Android

Google patched several Critical and High severity vulnerabilities as part of its Android Security Bulletin for January 2018.

Google patched several Critical and High severity vulnerabilities as part of its Android Security Bulletin for January 2018.

A total of 38 security flaws were resolved in the popular mobile OS this month, 20 as part of the 2018-01-01 security patch level and 18 in the 2018-01-05 security patch level. Five of the bugs were rated Critical and 33 were rated High risk.

Four of the vulnerabilities addressed with the 2018-01-01 security patch level were rated Critical, all of them remote code execution bugs. The remaining 16 issues resolved in this patch level were High risk elevation of privilege and denial of service vulnerabilities.

An elevation of privilege bug that Google patched in Android runtime could be exploited remotely to bypass user interaction requirements in order to gain access to additional permissions.

The most severe of the 15 vulnerabilities resolved in Media framework could allow an attacker using a specially crafted malicious file to execute arbitrary code within the context of a privileged process. These include 3 Critical remote code execution bugs, 4 High severity elevation of privilege issues, and 8 High risk denial of service flaws.

One other Critical remote code execution bug was patched in System, along with two High severity elevation of privilege flaws and one High risk denial of service vulnerability.

Only one of the flaws fixed with the 2018-01-05 security patch level was a Critical vulnerability. Along with 6 High severity flaws, it was affecting Qualcomm closed-source components.

The patch level also resolved a High risk denial of service issue in HTC components and High risk elevation of privilege bugs in LG components, Media framework, MediaTek components, and NVIDIA components (one in each).

The security patch level addressed three High severity elevation of privilege and one information disclosure bug in Kernel components, along with two High risk elevation of privilege vulnerabilities in Qualcomm components.

Google also resolved 46 vulnerabilities in Google devices as part of the Pixel / Nexus Security Bulletin—January 2018. Most of the flaws were rated Moderate severity, exception making issues addressed in Media framework (some were rated Low risk and others were rated High severity on older Android versions).

Impacted components included Framework (1 vulnerability), Media framework (16 vulnerabilities), System (1 flaw), Broadcom components (1 issue), HTC components (1 flaw), Kernel components (7 bugs), MediaTek components (1 issue), and Qualcomm components (18 vulnerabilities).

In addition to patching security flaws, the security bulletin also addressed functionality issues on Pixel devices. The update adjusted the handling of key upgrades in keystore and improved stability and performance after installing an OTA.

On Google devices, all of these issues are fixed as part of the security patch levels of 2018-01-05 or later.

Related: Android’s December 2017 Patches Resolve Critical Flaws

Related: Google to Warn Android Users on Apps Collecting Data

Related: Google Patches Critical Bugs in Android

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Vulnerabilities

GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet