Google is out with its April 2017 Android security update, patching 102 different vulnerabilities in the mobile operating system. Of the vulnerabilities patched by Google this month, only 15 are rated as having critical impact.
Not surprisingly, the mediasever component is once again being patched by Google. The Android mediasever has been patched in every Android security update issued by Google since August 2015. In the new April update, mediaserver accounts for 15 flaws in total, including six rated as critical, five as high and four with only moderate impact.
“A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing,” Google’s advisory on the six critical mediaserver vulnerabilities states. “This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process.”
Flaws in the Android mediaserver first were publicly reported back in July 2015, with the initial Stagefright vulnerability that was discovered by Joshua Drake, vice president of Platform Research and Exploitation at Zimperium. Google has been patching mediaserver regularly and with the Android 7 ‘Nougat’ operating system update, made significant improvements to help limit mediaserverer related security risks. In a March 2017 interview with eWEEK, Adrian Ludwig, director of Android security at Google, explained that mediaserver issues will continue to be patched in Android, to further limit risks for both older and current versions of Android.
“If the issue is potentially exploitable on any of the supported devices, then we make a patch available for all of them,” Ludwig said.
Also of note in the April Android security update is a critical vulnerability identified as CVE-2017-0561, in Broadcom’s Wi-Fi firmware.
“A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC (System on a Chip),” Google warns in its advisory.
The Broadcom flaw was discovered by security researcher Gal Beniamini with Google’s Project Zero security research team and was first reported privately in December 2016. Beniamini is also credited with reporting four other related high impact privilege escalation flaws with Broadcom’s Wi-Fi driver (CVE-2017-0571, CVE-2017-0570, CVE-2017-0572, CVE-2017-0569) that were patched by Google in the Android April update.
There is also a patch for an interesting privilege escalation flaw rated a critical, in the HTC touchscreen driver, identified as CVE-2017-0563.
“An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel,” Google warns in its advisory. “This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.”
As has been the case in many recent Android updates, there is also a long list of vulnerabilities that are being patched in various Qualcomm components and drivers. In total, there are 41 different Qualcomm vulnerabilities patched in the April update, with 21 rated as critical, 12 as high and 8 at the moderate level.