Google patched 57 vulnerabilities Monday affecting the Android operating system and kernel and chipset components tied to third-party firms MediaTek, NVIDIA and Qualcomm. Eleven of the bugs are rated critical and 46 are rated high.
Google said the most severe of the vulnerabilities are remote code execution bugs (CVE-2018-9341, CVE-2018-5146 and CVE-2017-13230) in the Android media framework “that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”
One of the remote code execution bugs (CVE-2018-5146) is related to the open-source Ogg Vorbis audio codec used in the Android media framework. The vulnerability is an out-of-bounds memory write flaw that occurs while the media framework is processing Vorbis audio data. It was first made public on March 16 at the Pwn2Own hacker contest by Huzaifa Sidhpurwala, senior product security engineer at Red Hat. The bug also impacted versions of Mozilla’s Firefox and the Thunderbird mail client, according to Rapid7.
The second remote code execution vulnerability (CVE-2017-13230) is an out-of-bounds write flaw with the High Efficiency Video Coding (H.265) video compression standard used in the Android media framework. The bug was first made public on Feb. 2 and patched Feb. 5 as part of Google’s February Android Security Bulletin. At that time, it was rated as medium severity.
“In hevc codec, there is an out-of-bounds write due to an incorrect bounds check with the i2_pic_width_in_luma_samples value. This could lead to remote escalation of privilege with no additional execution privileges needed,” according to the National Vulnerability Database description of the CVE.
Google and MITRE did not offer any details on the third remote code vulnerability (CVE-2018-9341).
A critical flaw in the MediaTek chipset was also patched. The bug was part of buffer overflow conditions that could be triggered by an adversary in the Android’s trustlet (trusted process or IUM process). “Lack of boundary checking of a buffer in trustlet can lead to memory corruption,” describes Samsung in its bulletin.
Four critical flaws in Qualcomm’s chipsets were also patched. Two (CVE-2017-18158, CVE-2018-5854) were related to the component’s Bootloader; one (CVE-2018-3569) was tied to the WLAN Host; and the fourth was connected with a problem in a “hardware codec” (CVE-2017-18155).
Google says Pixel and Nexus devices will start receiving over-the-air updates starting Monday. It takes about a week and half for the updates to reach all Nexus devices. Samsung, LG and other vendors typically trail Google in updating qualifying devices, but do it monthly. Some vendors also don’t deliver all available patches at one time. Samsung, for example, states, “Some patches to be received from chipset vendors (also known as Device Specific patches) may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.” Often patches first need to be tested on target devices to make sure the patch is compatible.