Google Patches 29 Critical Android Vulnerabilities Including Holes in Mediaserver, Qualcomm

Google patched a critical hole in its problematic Android Mediaserver component that could have allowed an attacker to use email, web browsing, and MMS processing of media files to remotely execute code.

Google has patched ten critical vulnerabilities tied to problem-plagued Android components like Mediaserver, NVIDIA’s GPU driver, and Qualcomm’s driver. The most serious bug, according to Google’s January Android Security Bulletin, is the Mediaserver vulnerability.

“The most severe of these issues is a critical security vulnerability (CVE-2017-0381) that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files,” according to the bulletin.

The Android Mediaserver component has been patched nearly three dozen times since the Stagefright vulnerability was discovered in August of 2015. Along with the Mediaserver RCE vulnerability, Google identified several other flaws within the Mediaserver component such as (CVE-2017-0390) a denial of service vulnerability (CVE-2017-0387) and an elevation of privilege vulnerability – both classified as high risk.

The patches are part of Google’s monthly over-the-air security update for Android Nexus devices. Google said the first wave of patches for its Nexus handsets were available on January 1. Supported Google devices will receive a single over-the-air update on January 5, according to Google.

Samsung and LG have also released January patches for their Android devices and have committed to sending Google and their own over-the-air patches to affected devices as soon as possible.

“While we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models,” Samsung’s January security bulletin reads.

“We have had no reports of active customer exploitation or abuse of these newly reported issues,” according to Google. In all, just under 100 CVEs were fixed as part of Google’s January bulletin. Of those CVEs, 29 were rated critical, 41 were rated high and 26 were considered moderate risk vulnerabilities.

Among the other critical vulnerabilities patched by Google is an elevation of privilege vulnerability (CVE-2016-8424) identified in NVIDIA’s GPU driver as well as in Qualcomm’s bootloader (CVE-2016-8422). Additional critical elevation of privileges vulnerabilities were identified within several Qualcomm components such as cameras (CVE-2016-8412) used in Android Snapdragon phones made by LG and Samsung. Like Mediaserver, Qualcomm’s components have also been aggressively patched by Google with the most notable flaw, QuadRooter, having been identified in August 2016.

Additional security issues were identified and patched in lesser-known Android components such as C-ares (CVE-2016-5180), Framesequence (CVE-2017-0382) and libnl (CVE-2017-0386).

“An elevation of privilege vulnerability in the libnl library could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as high because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application,” Google wrote.

Google thanked nearly 40 individuals and teams for finding and reporting vulnerabilities in the January Android Security Bulletin. Trend Micro researcher Peter Pi and Trend Micro’s Mobile Threat Research Team are credited with finding what Google identified as the most serious Mediaserver vulnerability, along with seven additional critical vulnerabilities. Researchers at C0RE Team are credited for identifying a critical bug (CVE-2016-8435) tied to an elevation of privilege vulnerability in NVIDIA GPU driver.

Vendors such as LG and Samsung have also released updates to their Android devices. Last week LG notified its users of eight patches tied to its G3, G4, G4 Stylus, G5, V10, V20, CK, and G Stylo Android devices. Samsung notified users of 28 Samsung device-specific vulnerabilities.

Suggested articles