In Brief
Google has released its monthly safety patches for Android this week, addressing 17 critical vulnerabilities, half dozen of which touching on Android Mediaserver constituent that could move used to execute malicious code remotely.Besides patches for Mediaserver, Google equally good fixed 4 critical vulnerabilities related to Qualcomm components discovered inward Android handsets, including Google's Nexus 6P, Pixel XL, as well as Nexus nine devices.
According to the Google safety bulletin for Android published Monday, this month's safety update is i of the largest safety fixes the fellowship always compiled inward a unmarried month.
Google has separate Android's monthly safety bulletin into safety "patch levels":
- Partial safety land level (2017-05-01) covers patches for vulnerabilities that are mutual to all Android devices.
- Complete safety land level (2017-05-05) includes additional fixes for hardware drivers equally good equally amount components that are introduce entirely inward about devices.
Critical RCE Flaw inward Android Mediaserver
The almost severe vulnerability exists inward Mediaserver – an Android constituent that handles the processing of icon as well as video files as well as has been a source of many issues over the past times few years, including the critical Stagefright vulnerabilities.
According to the search engine giant, the Mediaserver vulnerability "could enable remote code execution on an affected device through multiple methods such equally email, spider web browsing, as well as MMS when processing media files."
In other words, attackers could exploit the Mediaserver vulnerability past times tricking users into downloading a peculiarly crafted multimedia file on their devices, or sharing the media file via e-mail or other messaging apps as well as remotely execute arbitrary code.
Interestingly, this vulnerability could move triggered piece y'all sleep, equally it’s non fifty-fifty necessary for y'all to opened upward the file because equally shortly equally your device receives the media file, the file organisation volition displace Mediaserver to procedure it.
The vulnerability was discovered inward early on Jan as well as affects Android versions 4.4.4 KitKat through 7.1.2 Nougat.
Kernel-level Vulnerabilities inward Qualcomm
Google has equally good patched 4 critical vulnerabilities that stemmed from Qualcomm components as well as could allow an assailant to hit high-level (root) privileges on an Android device.
Two critical vulnerabilities (CVE-2016-10275 as well as CVE-2016-10276) inward Qualcomm bootloader practise weather condition ripe for an superlative of privilege attacks, enabling "a local malicious application to execute arbitrary code inside the context of the kernel," according to the bulletin.
Another critical Qualcomm põrnikas (CVE-2017-0604) inward might driver could equally good allow a local malicious application to execute malicious code on the device inside the context of the kernel, which is the almost privileged expanse of the OS.
No Evidence of Flaws Being Exploited inward the Wild
Six of the 17 critical patches are addressed alongside the 2017-05-01 partial safety patches, piece the remaining eleven critical safety flaws affecting diverse drivers, libraries as well as bootloaders are patched inward the 2017-05-05 consummate land level.
Good intelligence is that Google assured its users that at that topographic point are no reports of whatsoever of the safety vulnerabilities existence exploited inward the wild.
Google says, having 2 land levels "provide Android partners alongside the flexibility to to a greater extent than speedily ready a subset of vulnerabilities that are like across all Android devices."
So, users are strongly advised to download the almost recent Android safety update to conk on their devices protected against whatsoever potential attack.
Nexus as well as Pixel devices volition have the consummate land inward an over-the-air update inward the coming days, or the owners tin download it postulate from Google's developer site.
It's equally good worth noting that Google revealed final calendar week that the Nexus half dozen as well as Nexus 9, which were released inward Nov 2014, would no longer move "guaranteed" to have safety updates later Oct 2017.
H5N1 like timeline has been offered for newer Pixel as well as Pixel XL handsets of Oct 2019. After that, the tech giant volition entirely force necessary safety fixes to those devices.
