Google Patches 108 Vulnerabilities in Android

Google Splits July Android Security Update Into Two Parts

Google on Wednesday published an advisory for its latest security updates for the Android operating system (OS), revealing that a total of 108 vulnerabilities were resolved in the popular mobile platform.

The Internet giant decided to split this month’s update into two parts, one to fix 33 flaws that impact all Android devices out there, and another to include patches for 75 device specific vulnerabilities in various drivers. This is the first time a monthly update has been split in two and focuses on drivers, but not without reason: last month, Google resolved 16 flaws in Qualcomm drivers, after a critical issue in the Qualcomm Secure Execution Environment (QSEE) was found to affect 60% of all Android devices.

In addition to this flaw, several other security bugs in Qualcomm software were discovered over the past few months, including one in the Qualcomm tethering controller that allows a malicious application to access user information. Last week, a researcher revealed that a Critical flaw in the Qualcomm Secure Execution Environment (QSEE) could be exploited to bypass the Full Device Encryption (FDE) security feature in Android 5.0 Lollipop.

The Mediasever component that determined Google last year to start issuing monthly security patches for Android devices is present in the July security bulletin as well. A total of 14 vulnerabilities were resolved in Mediaserver this month, including 7 that were deemed Critical, 4 rated High, and 3 assessed with a Medium severity rating.

The Critical vulnerabilities in Mediaserver can be exploited for remote code execution, if the attacker sends a specially crafted file to the affected device. Playing the file would cause memory corruption and the attacker could compromise the entire device, because of the privileges that the Mediaserver process has within the OS.

Google also resolved a Critical Remote Code Execution (RCE) issue in OpenSSL & BoringSSL, which could be exploited to cause memory corruption during file and data processing. This flaw, as well as most of the Critical bugs fixed in Mediaserver, affected Android versions 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1, Google’s advisory reveals.

Among the High risk issues patched in Android this month, there are several EOP vulnerabilities in libpng, Mediaserver, sockets, LockSettingsService, Framework APIs, and ChooserTarget, an RCE bug in Bluetooth, a couple of Information disclosure vulnerabilities in Mediaserver and OpenSSL, and Denial of service flaws in Mediaserver and libc.

Of the 75 vulnerabilities resolved in various drivers, 15 were rated Critical, all of them being Elevation of privilege issues. They were found to affect the drivers for Qualcomm GPU in Nexus 5X, Nexus 6, and Nexus 6P; MediaTek Wi-Fi in Android One; NVIDIA video in Nexus 9; MediaTek components in Android One; and USB component in multiple Nexus devices.

Affected components also included the Qualcomm performance component and kernel file system, as well as various other Qualcomm components in Nexus 5, Nexus 7 (2013), Nexus 5X, and Nexus 6P. By leveraging these vulnerabilities, a malicious application could execute arbitrary code within the context of the affected component, Google said.

Just like last month, Qualcomm components were affected the most, with a total of 40 flaws in them resolved with the July set of patches, including Critical, High, and Medium severity issues. Multiple vulnerabilities in MediaTek and Nvidia drivers were also patched this month.

As mentioned above, this month’s patches were split into two parts, one to resolve issues in all Android devices, and the other to fix only device specific problems. Thus, users will see on their devices one of the two announced patch levels: 2016-07-01 for general issues in the platform, and 2016-07-05, for the general fixes and the driver-related ones.

Nexus devices are already receiving the new security update, which will also be pushed to the Android Open Source Project (AOSP) shortly. Google notified its manufacturing partners on these issues on June 6 or earlier and they are expected to release similar updates to their users too. In fact, BlackBerry says the patches are already on the way to its Android-powered smartphones.

Related: Overwhelming Majority of Android Devices Don’t Have Latest Security Patches

view counter
Previous Columns by SecurityWeek News:

Tags: