Google is updating Android with its third security patch update for 2017, providing fixes for 105 vulnerabilities. The March 2017 patch count represents a dramatic increase over the 19 flaws that Google patched in its Android March 2016 update a year ago.
To date in 2017, Google has provided its Android users with patches for 253 vulnerabilities, with 90 in January, 58 in February and now 105 updates in March.
Looking specifically at the 35 critical updates addressed by Google in the March 2017 update, the usual suspects are once again well represented. Since Google’s very first Android security update in August 2015, the mediaserver component has been appearing in security updates and the March 2017 update is no exception. Nine of the critical flaws in the new update are remote code execution vulnerabilities in mediaserver.
The much maligned mediaserver component is further tagged for seven high impact denial of service vulnerabilities, as well as two additional information disclosure vulnerabilities rated as having moderate impact.
Though Google has been actively patching mediaserver related flaws in Android, the actual risks to users are somewhat muted. In a session at the recent RSA security conference, Adrian Ludwig, director of Android security at Google, stated that there were no confirmed cases of user exploitation as a result of he Stagefright mediaserver vulnerabilities that have been publicly disclosed by security researchers.
Among the critical updates is one for the open-source OpenSSL cryptographic library that Google has forked with its BoringSSL project.
“A remote code execution vulnerability in OpenSSL and BoringSSL could enable an attacker using a specially crafted file to cause memory corruption during file and data processing,” Google warns in its security advisory. “This issue is rated as Critical due to the possibility of remote code execution within the context of a privileged process.”
As has been the case in recent Android updates, Qualcomm driver components are also a leading contributor to the overall patch count. In total there are 35 different Qualcomm vulnerabilities patched in the Android March 2017 update, of which six are rated as critical. The patched Qualcomm flaws include privilege escalation issues in various components including WiFi, networking, bootloader, camera, fingerprint sensor and GPU drivers.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.