Google pushed out its monthly Android patches Monday, addressing 17 critical vulnerabilities, six of which are tied to its problematic Mediaserver component. An additional four critical vulnerabilities related to Qualcomm components in Android handsets including Google’s own Nexus 6P, Pixel XL and Nexus 9 devices were also patched.
“The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files,” wrote Google in its May Android Security Bulletin.
That “most severe” vulnerability traces back to Android’s Mediaserver component. According to Google, an attacker could exploit the Mediaserver vulnerability by using a specially crafted file to cause memory corruption during media file and data processing and execute remote code.
Qualcomm bootloader vulnerabilities triggered two critical patches (CVE-2016-10275 and CVE-2016-10276) issued by Google. The bugs create conditions ripe for an elevation of privilege attacks. “An elevation of privilege vulnerability in the Qualcomm bootloader could enable a local malicious application to execute arbitrary code within the context of the kernel,” according to the bulletin.
An additional critical Qualcomm vulnerability (CVE-2017-0604) in the chipmaker’s power driver could also enable a local malicious application to execute arbitrary code within the context of the kernel, Google wrote.
With this update, as with previous Android updates, Google split patches into two levels. One is the May 1, partial security patch level and the second is May 5, the complete security patch level.
Having two patch levels, Google explains, “provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices.” The 2017-05-05 addresses all previous security patch level strings, it said.
Six of the 17 critical patches are addressed with the 2017-05-01 partial security patches. Of all the critical, high and moderate vulnerabilities reported Monday, Google said there were no reports of exploited bugs in the wild.
It’s also worth noting that last week Google said two Nexus devices (6 and 9) released in November 2014 would no longer be “guaranteed” to receive security updates after October 2017. It also offered a similar timeline for Pixel XL of October 2019. The move underscores larger struggles by Google to balance device fragmentation with a timely rollout of security patches for all of its own devices and those made by third-party manufacturers.