Now on Demand: CISO Forum Virtual Summit - All Sessions Available to Watch Instantly
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Releases Additional Meltdown Mitigations for Android

As part of its May 2018 Android Security Bulletin, Google this week released additional mitigations for the Meltdown attack that impacts microprocessors from Intel, AMD, and other vendors.

As part of its May 2018 Android Security Bulletin, Google this week released additional mitigations for the Meltdown attack that impacts microprocessors from Intel, AMD, and other vendors.

The attack leverages CVE-2017-5754, a security vulnerability that allows applications to bypass memory isolation and read arbitrary kernel memory locations. Meltdown was made public in January 2018 alongside Spectre, an attack residing in speculative execution (leveraging CVE-2017-5753 and CVE-2017-5715).

In January, Google released protections for both Meltdown and Spectre attacks, and this month delivered additional mitigations as part of the 2018-05-05 security patch level. Impacting Kernel components, the issue was addressed along with CVE-2017-16643, an information disclosure in USB driver.

“The most severe vulnerability in this section could enable a local malicious application to bypass operating system protections that isolate application data from other applications,” Google notes in an advisory.

The May 2018 Android Security Bulletin is split into two parts, the first being the 2018-05-01 security patch level, which addresses 7 High severity vulnerabilities in Android runtime, Framework, Media framework, and System.

The bugs include Information Disclosure, Elevation of Privilege, and Denial of Service and impact Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1 releases.

In addition to the Meltdown mitigations, the 2018-05-05 security patch level also includes patches for security flaws in NVIDIA and Qualcomm components.

Three vulnerabilities were addressed in NVIDIA components: an elevation of privilege rated Critical, along with an information disclosure and an elevation of privilege assessed as High risk. The most severe of the vulnerabilities could allow a malicious application to execute code within the context of the trusted execution environment (TEE).

Advertisement. Scroll to continue reading.

A total of 11 vulnerabilities were addressed in Qualcomm components, including a Critical remote code execution bug that could be exploited by an attacker over WLAN. Rated High severity, the remaining bugs included 9 elevation of privilege flaws and one denial of service issue.

Also this week, Google released a new set of patches for the Pixel and Nexus devices to address a total of 34 security bugs. Impacting Framework, Media framework, System, and Kernel, NVIDIA and Qualcomm components, the vulnerabilities feature a Moderate severity rating (two are considered High risk on Android 6.0 and 6.0.1).

In addition to security patches, the Pixel / Nexus Security Bulletin—May 2018 includes a couple of functional updates to address issues not related to the security of these devices.

Related: Google Patches 9 Critical Android Vulnerabilities in April 2018 Update

Related: Android’s March 2018 Patches Fix Critical, High Risk Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.