Google today patched more than three-dozen critical vulnerabilities in Qualcomm components embedded in the Android operating system, all of them allowing attackers to gain a foothold on devices to launch further attacks.
The Qualcomm-related patches are among dozens in the monthly Android Security Bulletin, which marks its first anniversary this week after its maiden voyage a year ago during the Black Hat USA 2015 hacker conference. This year’s Black Hat begins tomorrow in Las Vegas.
Most of the Qualcomm components elevation of privileges vulnerabilities patched today are two years old and are part of the Aug. 5 patch level. Google also made available today an Aug. 1 patch level release that patches three critical bugs in Mediaserver.
Google said its Nexus devices were patched in over-the-air updates; its partners were notified of the fixes on July 6 and source code patches will be released to the Android Open Source Project repository within 48 hours.
Qualcomm vulnerabilities have been a focus around Android this summer starting with the May disclosure of a vulnerability in the chipmaker’s Secure Execution Environment (QSEE). The flaw affected 60 percent of Android devices before it was patched.
The Aug. 5 patch level also fixed a remote code execution vulnerability in the Qualcomm Wi-Fi Driver, also dating back to 2014 (CVE-2014-9902), and another RCE bug in Conscrypt, which is a Java security provider that uses OpenSSL, according to a description on the Conscrypt site.
The bulletin also patches six other critical bugs, all of them elevation of privilege flaws, two in the Android kernel networking component, two in the Qualcomm GPU driver and others in the Qualcomm performance component and in the Android kernel.
The August patch release is the first respite from critical Mediaserver vulnerabilities in months. Mediaserver is a core Android component and proof-of-concept exploits for last summer’s Stagefright flaws targeted it because of its kernel access.
Various Qualcomm components now seem to be the new Mediaserver. In addition to the critical bugs patched today, a number of other elevation of privilege flaws and information disclosure bugs in Qualcomm bootloader and components were addressed that were rated high severity by Google.
Several kernel-related elevation of privilege flaws, all rated high severity, were addressed, including in the kernel, the kernel memory system, kernel sound component, kernel file system, kernel video driver, kernel scheduler, and the kernel performance subsystem.
In the Aug. 1 patch level, Google patched four elevation of privilege and four denial of service flaws in Mediaserver rated high severity, along with a remote code execution flaw rated high in libjhead and a denial of service flaw in the system clock.