nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

It's August 2017 and your Android gear can be pwned by, oh look, just patch the things

Google addresses dozens of security flaws in mobile platform

By Shaun Nichols, 9 Aug 2017

Android users should be expecting a security update to land for the mobile operating system in short order, as Google has issued fixes for 99 CVE-listed programming cockups.

This month's update has been released for the Pixel and Nexus lines and kicked out to other manufacturers and carriers, which will post their own updates in time, hopefully. Check for system software updates via Settings, and install them if and when they're ready – you may have fallen out of support.

"Partners were notified of the issues described in the bulletin at least a month ago. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin," Google said.

"This bulletin also includes links to patches outside of AOSP."

Google says it has had no reports of any active attacks on the holes patched.

Twenty-six of the flaws are within the Android media framework, and Google says they are the top security risks. They include 10 remote code execution bugs rated as "critical" risks, and six denial of service flaws. The remote code execution bugs can be triggered by loading a specially crafted media file.

Six of the CVEs concern vulnerabilities in Qualcomm components that could be exploited by malicious applications to gain control of the device: five of the holes could allow elevation of privilege, and the sixth permits information disclosure.

Another patched flaw (CVE-2017-0740) addresses a remote code execution bug in Broadcom's wireless networking driver. "A remote attacker" can use "a specially crafted file to execute arbitrary code within the context of an unprivileged process," the advisory reads.

Nine of the fixes are for specific drivers for Google hardware. They include elevation of privilege vulnerabilities (CVE-2017-0744) in the sound driver and information disclosure bugs in the system-on-chip, audio, radio, and networking drivers.

The Android kernel itself was the subject of five CVE-listed flaws, all of which could allow for elevation of privilege by malicious apps, allowing them to commandeer handhelds and other gadgets.

The update comes on the heels of Microsoft and Adobe's monthly security updates to patch flaws in Flash Player, Windows, Internet Explorer, Edge, and Office. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing