Google this week released its October 2017 Android patches, which address a total of 14 vulnerabilities in the mobile platform, including five rated Critical severity.
Split in two, the Android Security Bulletin—October 2017 resolves issues affecting various platform iterations, ranging from Android 4.4.4 to Android 8.0. The most severe of these could lead to arbitrary code execution or to applications being able to gain additional permissions without user interaction.
The first set of patches arrives on devices as part of the 2017-10-01 security patch level, meant to address a total of 8 vulnerabilities, including 3 Critical severity, 3 High risk, and 2 Medium severity.
With six vulnerabilities addressed in it, Media framework was the most impacted component. Three of these issues were rated Critical, all three leading to remote code execution. Additionally, a High severity elevation of privilege and two Moderate risk information disclosure bugs were addressed in it.
Other impacted components included framework, with a High severity elevation of privilege issue addressed in it, and System, with a High risk remote code execution bug patched.
The vulnerability addressed in System is CVE-2017-14496, a bug related to the Dnsmasq network services software. The release of Dnsmasq 2.78 on Monday addressed this issue and several others, including remote code execution flaws.
Google addressed six vulnerabilities as part of the 2017-10-05 security patch level, two listed as Critical severity and four listed as High risk.
The Critical bugs, one remote code execution and one elevation of privilege, along with a High risk elevation of privilege issue, impacted Qualcomm components. Two of the remaining High risk issues impacted Kernel components, while the third impacted MediaTek components. All three were elevation of privilege bugs.
In addition to the Android Security Bulletin, Google published a separate security bulletin detailing vulnerabilities addressed in Nexus and Pixel devices. As part of this month’s fixes, Google resolved issues affecting framework, Media framework, System, and Broadcom, HTC, Huawei, Kernel, Motorola, and Qualcomm components.
Fixes for a total of 38 vulnerabilities were included in the Pixel/Nexus Security Bulletin—October 2017: four High risk, 32 Medium severity, and 2 Low risk. Most of the issues were elevation of privilege and information disclosure bugs.
22 of the vulnerabilities were addressed in Qualcomm components, most of which affected WLAN. Media framework was the second most impacted component, with six vulnerabilities addressed in it, including one affecting all Android versions from 4.4.4 to 8.0.