Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Resolves Critical Vulnerabilities in Android’s Media Framework

Google this week published its August 2017 Android security bulletin, which includes information on more than 40 vulnerabilities addressed in the mobile operating system this month, including 10 Critical flaws addressed in media framework.

Google this week published its August 2017 Android security bulletin, which includes information on more than 40 vulnerabilities addressed in the mobile operating system this month, including 10 Critical flaws addressed in media framework.

This month’s Android security bulletin is split into two security patch level strings and contains one of the lowest number of patches since Google started delivering these monthly updates two years ago.

The first of the security patch level strings included in the bulletin (the 2017-08-01 security patch level) addresses 28 security bugs in three Android components: framework, libraries, and media framework. 10 of the issues were rated Critical severity, 15 High risk, and 3 Moderate severity, Google’s advisory reveals.

Media framework was the most impacted component, as it saw a total of 26 vulnerabilities being resolved in it: 10 Critical remote code execution bugs, 14 High risk denial of service and elevation of privilege issues, and 2 Moderate information disclosure vulnerabilities.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google says.

One elevation of privilege was addressed in framework and one remote code execution in libraries.

The second security patch level string in the August 2017 Android security bulletin (the 2017-08-05 security patch level) addresses 14 vulnerabilities in Broadcom, Kernel, MediaTek, and Qualcomm components.

One remote code execution flaw (Moderate risk) was resolved in Broadcom components; five elevation of privilege bugs (one High and four Moderate severity) were addressed in Kernel components; two elevation of privilege issues (one High, one Moderate) were found in MediaTek components; and five elevation of privilege and one information disclosure vulnerabilities (all Medium risk) were resolved in Qualcomm components.

Advertisement. Scroll to continue reading.

Three of the vulnerabilities in Kernel components (CVE-2017-10663, CVE-2017-10662, and CVE-2017-0750) were discovered by Trend Micro researchers and could cause memory corruption on the affected devices, leading to code execution in the kernel context. The flaws could be triggered by an app when a malicious disk using the F2FS (Flash-Friendly File System) is mounted.

Optimized for usage in devices with NAND memory, the F2FS file system is set as default on Android devices that ship with support for it, including those from Motorola, Huawei, and OnePlus, thus putting millions of users at risk, Trend Micro says. For the exploit to run, however, an attacker would need to compromise a privileged process with mount permission first.

“The problem for Linux may even be worse. Linux systems have supported F2FS since version 3.8 of the kernel was released in February 2013. Any Linux device with a kernel newer than this date is potentially at risk. However, not all distributions have enabled F2FS support by default. Systems where USB devices are set up to be automatically mounted upon insertion are most at risk, as this would mean simply inserting a malicious F2FS device would allow the exploit to work,” the security company notes.

Google devices will also receive patches for 9 other security vulnerabilities, if applicable, the Internet giant revealed. These include six information disclosure, two elevation of privilege, and one denial of service flaws, all rated Low severity. All Google devices will be updated to the August 05, 2017 security patch level over-the-air update (OTA).

Related: Google Patches Critical Vulnerabilities in Android

Related: Google Launches Security Services for Android

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.