In Brief
Google has released its monthly safety patches for Android this week, addressing 17 critical vulnerabilities, half dozen of which impact Android Mediaserver cistron that could survive used to execute malicious code remotely.Besides patches for Mediaserver, Google every bit good fixed 4 critical vulnerabilities related to Qualcomm components discovered inwards Android handsets, including Google's Nexus 6P, Pixel XL, in addition to Nexus nine devices.
According to the Google safety bulletin for Android published Monday, this month's safety update is ane of the largest safety fixes the companionship always compiled inwards a unmarried month.
Google has dissever Android's monthly safety bulletin into safety "patch levels":
- Partial safety acre level (2017-05-01) covers patches for vulnerabilities that are mutual to all Android devices.
- Complete safety acre level (2017-05-05) includes additional fixes for hardware drivers every bit good every bit centre components that are introduce entirely inwards to a greater extent than or less devices.
Critical RCE Flaw inwards Android Mediaserver
The virtually severe vulnerability exists inwards Mediaserver – an Android cistron that handles the processing of picture in addition to video files in addition to has been a source of many issues over the past times few years, including the critical Stagefright vulnerabilities.
According to the search engine giant, the Mediaserver vulnerability "could enable remote code execution on an affected device through multiple methods such every bit email, spider web browsing, in addition to MMS when processing media files."
In other words, attackers could exploit the Mediaserver vulnerability past times tricking users into downloading a particularly crafted multimedia file on their devices, or sharing the media file via electronic mail or other messaging apps in addition to remotely execute arbitrary code.
Interestingly, this vulnerability could survive triggered spell you lot sleep, every bit it’s non fifty-fifty necessary for you lot to opened upward the file because every bit presently every bit your device receives the media file, the file arrangement volition campaign Mediaserver to procedure it.
The vulnerability was discovered inwards early on Jan in addition to affects Android versions 4.4.4 KitKat through 7.1.2 Nougat.
Kernel-level Vulnerabilities inwards Qualcomm
Google has every bit good patched 4 critical vulnerabilities that stemmed from Qualcomm components in addition to could allow an assaulter to arrive at high-level (root) privileges on an Android device.
Two critical vulnerabilities (CVE-2016-10275 in addition to CVE-2016-10276) inwards Qualcomm bootloader practise atmospheric condition ripe for an summit of privilege attacks, enabling "a local malicious application to execute arbitrary code inside the context of the kernel," according to the bulletin.
Another critical Qualcomm põrnikas (CVE-2017-0604) inwards mightiness driver could every bit good allow a local malicious application to execute malicious code on the device inside the context of the kernel, which is the virtually privileged expanse of the OS.
No Evidence of Flaws Being Exploited inwards the Wild
Six of the 17 critical patches are addressed alongside the 2017-05-01 partial safety patches, spell the remaining eleven critical safety flaws affecting diverse drivers, libraries in addition to bootloaders are patched inwards the 2017-05-05 consummate acre level.
Good word is that Google assured its users that at that spot are no reports of whatsoever of the safety vulnerabilities beingness exploited inwards the wild.
Google says, having 2 acre levels "provide Android partners alongside the flexibility to to a greater extent than chop-chop cook a subset of vulnerabilities that are like across all Android devices."
So, users are strongly advised to download the virtually recent Android safety update to croak along their devices protected against whatsoever potential attack.
Nexus in addition to Pixel devices volition have the consummate acre inwards an over-the-air update inwards the coming days, or the owners tin give the sack download it straight from Google's developer site.
It's every bit good worth noting that Google revealed concluding calendar week that the Nexus half dozen in addition to Nexus 9, which were released inwards Nov 2014, would no longer survive "guaranteed" to have safety updates afterward Oct 2017.
Influenza A virus subtype H5N1 like timeline has been offered for newer Pixel in addition to Pixel XL handsets of Oct 2019. After that, the tech giant volition entirely force necessary safety fixes to those devices.
Share This :
comment 0 Comments
more_vert