STE WILLIAMS

Patch your Android, peeps, it has up to 14 nasty flaws to flog

Another month, another round of Android patches – although October’s batch is pleasantly small compared to other recent releases.

Of the 14 CVE flaws released, six cover Android’s troubled media engine. This has been a top choice for vulnerability fixers but – compared to the usual number of patches released for it every month – Google appear to have fixed a lot of the major issues. The details are as follows:

Three flaws (CVE-2017-0809, CVE-2017-0810, CVE-2017-0811) in the media framework are rated critical by Google since they allow remote code execution into privileged processes and affect Android 4.4 to the current version. CVE-2017-0811, rated high, is a privilege escalation issue in versions 7 and 8.

There are also two moderate flaws, CVE-2017-0815 and CVE-2017-0816, that would allow information leakage on all currently supported Android builds. In addition there’s a high severity flaw (CVE-2017-0806) in the overall framework of Android 6 or newer versions. It allows an attacker to work their way up the privilege chain.

System flaws are usually the most serious but there’s only one this month – CVE-2017-14496. This is a high severity flaw allowing remote attack code to be run on a handset and is found in all versions of Android from version 4.4 onwards.

There’s also a pair of high-severity privilege escalation flaws in the Android kernel – CVE-2017-7374 for the file system and CVE-2017-9075 for the Network subsystem. All Android versions need these patches. The same issue also affects MediaTek system-on-a-chip software and is addressed with CVE-2017-0827.

Finally there are three updates for Qualcomm components used by all versions of Android. Two of these are critical; CVE-2017-11053 for fix an issue with the system-on-a-chip driver that allows remote code execution and CVE-2017-9714 fixing the network subsystem to block privilege escalation.

The last patch, rated as high severity, blocks an attacker from increasing their privileges by exploiting a flaw in the Linux boot system used by Qualcomm hardware.

All patches can be found here and will be pushed out to phones this month. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/03/october_android_patches/

  • 03/10/2017
  • adm
Comments are closed.