Google has delivered their last and probably final Android update for 2017. The bulletin amends a total of 47 vulnerabilities. Among them there are five critical remote code execution issues that are particularly worrisome.
The Last Android Update for 2017 Fixes Several Critical Vulnerabilities
The Android security engineers have posted the last security bulletin for the Android mobile operating system. As usual it contains a lot of patches and fixes for critical and important security issues that have been reported in the last month. One of the most important remarks in the notes is the fact that the team have released an emergency update for a critical security problem found in the Media framework. It essentially allows malicious hackers to execute arbitrary code by using a specially crafted file. Fortunately no abuse reports have been receive by Google’s Android security team.
The Android security team also note that some of the latest releases of their operating system have implemented a next-generation security platform that provides advanced services like the Google Play Protect. They reduce the likelihood of successful security intrusions and the execution of vulnerabilities. The developers now have the ability to monitor the devices for abuse by using the components of the Google Play Protect services. Users can also be warned about possible issues by the Potentially Harmful Applications prompts. Devices running newer versions of the Google Mobile Services will automatically have the Google Play Protect services enabled.
Further Details About the Patched Google Android Vulnerabilities
The Android security bulletin begins three distinct vulnerabilities that target the main operating system framework. Successful exploit of it allows a local malicious app to bypass the user interaction requirements. As a result of this the dangerous app can gain access to additional permissions. It is tracked in three advisories:
- CVE-2017-0807 — An elevation of privilege vulnerability in the Android framework (ui framework). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-35056974.
- CVE-2017-0870 — An elevation of privilege vulnerability in the Android framework (libminikin). Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-62134807.
- CVE-2017-0871 — An elevation of privilege vulnerability in the Android framework (framework base). Product: Android. Versions: 8.0. Android ID A-65281159.
The Media framework issue is categorized by the Android security researchers as the most severe vulnerability in this month’s bulletin. It is tracked in multiple advisories and enables remote attackers to execute arbitrary code with elevated privileges. This is done by crafting a special file and running it onto the host system. It is tracked in the following advisories:
- CVE-2017-0872 — A remote code execution vulnerability in the Android media framework (libskia). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-65290323.
- CVE-2017-0876 — A remote code execution vulnerability in the Android media framework (libavc). Product: Android. Versions: 6.0. Android ID A-64964675.
- CVE-2017-0877 — A remote code execution vulnerability in the Android media framework (libavc). Product: Android. Versions: 6.0. Android ID A-66372937.
- CVE-2017-0878 — An XML external entity expansion vulnerability exists in Apache Solr. The vulnerability is due to improper handling of XML external entities in user submitted XML content. A remote attacker can exploit this vulnerability by submitting a crafted request to the target server.
- CVE-2017-13151 — A remote code execution vulnerability in the Android media framework (libmpeg2). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-63874456.
- CVE-2017-13153 — An elevation of privilege vulnerability in the Android media framework (libaudioservice). Product: Android. Versions: 8.0. Android ID A-65280854.
- CVE-2017-0837 — An elevation of privilege vulnerability in the Android media framework (libaudiopolicymanager). Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-64340921.
- CVE-2017-0873 — A denial of service vulnerability in the Android media framework (libmpeg2). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-63316255.
- CVE-2017-0874 — A denial of service vulnerability in the Android media framework (libavc). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-63315932.
- CVE-2017-0880 — A denial of service vulnerability in the Android media framework (libskia). Product: Android. Versions: 7.0, 7.1.1, 7.1.2. Android ID A-65646012.
- CVE-2017-13148 — A denial of service vulnerability in the Android media framework (libmpeg2). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-65717533.
Google Patches Android System Components in the Last 2017 Security Update
The Android security team points out that another serious issue has been identified in the system processes as well. A bug has been identified which allows a proximate attacker to execute malware code within the context of a privileged process. The advisories that track the vulnerability are the following: CVE-2017-13160, CVE-2017-13156, CVE-2017-13157, CVE-2017-13158 and CVE-2017-13159.
Another section of the document reveals that malware applications can execute arbitrary code through the kernel modules. This issue is tracked in the following advisories: CVE-2017-13162, CVE-2017-0564, CVE-2017-7533 and CVE-2017-13174. Note that one of the identified issue is actually part of the upstream Linux kernel and has been detected in desktop computers back in August.
Hardware manufacturers have also been found to contribute to the vulnerability landscape. Three separate vendors have been identified to have provided dangerous code to Android:
- MediaTek Components — The display driver, performance service and the specialist system server code enable local malware applications to execute arbitrary code within the context of a privileged process.
- NVIDIA Components — Two NVIDIA driver instance and a Mediaserver allow a local malicious application to execute arbitrary code with privilege process.
- Qualcomm Components — A severe Android security bug allow malware code execution on the target systems. The following components and their respective software are part of the threat: WLAN, UDP RPC, Fastboot, Gralloc, QBT1000 driver, RPMB driver, MProc.
- Qualcomm Closed-source Components — A total of 9 Android security vulnerabilities that contain closed-source code property of Qualcomm that are integrated in the Android operating system have also been identified. For further information the users can review the vendor’s own security alert.
The update has already been pushed to owners of AOSP devices. The critical updates are also available to the device vendors and they should push the patch to their own Android implementations. All Android users are advised to update as soon as they are released.