Google patches pwnable 'droids for Wi-Fi vuln
Broadcom chipsets, who uses those? Oh, practically everyone
Google's latest Android security update has landed, and at least one of the bugs it patches is a treat: since it's related to Broadcom chipsets, it will reach far beyond the Android ecosystem.
“BroadPwn” (because there's no good bug without a brand) was turned up by Nitay Artenstein of Exodus Intelligence. You can find a full writeup here.
What we do know, however, is that he's exploited a pretty fundamental aspect of Wi-Fi: the chipset parses all the packets it handles, is running with no exploit mitigations, and in the case of Broadcom's BCM43xx, is in 'droids from Nexus, HTC, LG and Samsung, and also in a bunch of iPhones.
(The Register notes the BCM43xx chipsets are also popular in various PCs, but Artenstein doesn't say whether the bug is exploitable on those platforms.)
The BlackHat teaser says the bug can be exploited all the way to remote code execution (RCE), without any user interaction.
The other entry for the “best in show” ribbon this time around is this http://www.securityfocus.com/bid/97330 set of Mediaserver bugs, also offering possible RCE exploits.
libhevc library has an input validation bug, and can be attacked using a crafted file. The full security bulletin is here, and it covers Android versions 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, and 7.1.1. ®