Google Patches Android for New Mediaserver Flaws in April Update | eWeek

Google Patches Android Security Vulnerabilities in April Update

Android Security
Apr 6, 2017
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Google is out with its April 2017 Android security update, patching 102 different vulnerabilities in the mobile operating system. Of the vulnerabilities patched by Google this month, only 15 are rated as having critical impact.

Not surprisingly, the mediasever component is once again being patched by Google. The Android mediasever has been patched in every Android security update issued by Google since August 2015. In the new April update, mediaserver accounts for 15 flaws in total, including six rated as critical, five as high and four with only moderate impact.

“A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing,” Google’s advisory on the six critical mediaserver vulnerabilities states. “This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process.”

Flaws in the Android mediaserver first were publicly reported back in July 2015, with the initial Stagefright vulnerability that was discovered by Joshua Drake, vice president of Platform Research and Exploitation at Zimperium. Google has been patching mediaserver regularly and with the Android 7 ‘Nougat’ operating system update, made significant improvements to help limit mediaserverer related security risks. In a March 2017 interview with eWEEK, Adrian Ludwig, director of Android security at Google, explained that mediaserver issues will continue to be patched in Android, to further limit risks for both older and current versions of Android.

“If the issue is potentially exploitable on any of the supported devices, then we make a patch available for all of them,” Ludwig said.

Also of note in the April Android security update is a critical vulnerability identified as CVE-2017-0561, in Broadcom’s Wi-Fi firmware.

“A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC (System on a Chip),” Google warns in its advisory.

The Broadcom flaw was discovered by security researcher Gal Beniamini with Google’s Project Zero security research team and was first reported privately in December 2016. Beniamini is also credited with reporting four other related high impact privilege escalation flaws with Broadcom’s Wi-Fi driver (CVE-2017-0571, CVE-2017-0570, CVE-2017-0572, CVE-2017-0569) that were patched by Google in the Android April update.

There is also a patch for an interesting privilege escalation flaw rated a critical, in the HTC touchscreen driver, identified as CVE-2017-0563.

“An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel,” Google warns in its advisory. “This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.”

As has been the case in many recent Android updates, there is also a long list of vulnerabilities that are being patched in various Qualcomm components and drivers. In total, there are 41 different Qualcomm vulnerabilities patched in the April update, with 21 rated as critical, 12 as high and 8 at the moderate level.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.