Five critical vulnerabilities were reported by Google Monday as part of its October Android Security Bulletin. In all, 14 patches were issued for corresponding vulnerabilities, ranging from critical to high.
The relative low bug count for the month of October is due to the fact this month Google announced it would handle security bulletins differently. It introduced a separate monthly Pixel/Nexus Security Bulletin that covers bug fixed for these specific devices.
The Android Security Bulletin will continue to report on partial patch levels and complete patch levels monthly. But because of this change Google only reported just over a dozen vulnerabilities for the month of October.
Three of the vulnerabilities, rated critical, are tied to remote code execution bugs found in the Android media framework. Another two critical vulnerabilities are related to Qualcomm components.
The Android Security Bulletin also contains a fix for the Dnsmasq software flaws impacting Android OS and also Mac OS X, various Linux distributions and routers and IoT devices.
Google said one of the most severe bugs this month was an escalation of privileges (EoP) vulnerability (CVE-2017-0806) impacting Android versions 6.0 (Marshmallow) through its most recent Android 8.0 (Oreo) OS. According to Google, the vulnerability “could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.” That could lead to further attacks.
Other “severe” bugs, according to Google, included two vulnerabilities found in Android kernel components that could enable a local malicious application to execute arbitrary code within the context of a privileged process.
One of the two EoP vulnerabilities is CVE-2017-7374 and impacts the Android filesystem. According application security firm F5 Networks, the bug is a use-after-free vulnerability in cryptographic file system (fs/crypto/) in the Linux kernel. It allows local users to cause a denial of service condition or possibly gain privileges by revoking keyring keys being used for file systems ext4, f2fs, or ubifs encryption. That can cause “cryptographic transform objects to be freed prematurely,” F5 Networks said.
A second severe vulnerability includes the EoP CVE-2017-9075, also tied to the Android kernel and the network subsystem. “An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely,” wrote security experts at Brocade.
The October bulletin also includes a bevy of fixes on the hardware side of the house, including patches for drivers for MediaTek and Qualcomm hardware.
Two of the Qualcomm vulnerabilities are critical. CVE-2017-11053 is a fix for an issue with the system-on-a-chip driver that allows remote code execution. A second Qualcomm vulnerability (CVE-2017-9714) addresses a bug in the network subsystem and blocks privilege escalation.
The last patch, rated as high severity, is tied to a MediaTek system-on-a-chip driver vulnerability (CVE-2017-0827). Google says the flaw could enable a local malicious application to execute arbitrary code within the context of a privileged process.
As for the Pixel/Nexus Security Bulletin, Google lists 38 security vulnerabilities. The company says the vulnerabilities impact the Android OS and components manufactured by Broadcom, HTC, Huawei, Motorola and Qualcomm.
“Security vulnerabilities that are documented in (the Android) security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in device / partner security bulletins are not required for declaring a security patch level,” Google said of the new bulletin.