Google Continues To Fix Qualcomm Vulnerabilities In July Android Security Bulletin
Google recently released its Android security bulletin (for July) with two security patch level strings. The first one is dated July 1 while the other one dated July 5. Google wants users to install the update to shun potential security issues.
For Pixel or Nexus devices, Google will push OTA updates while other device owners should wait for their OEM to push updates with specific fixes. Google has already notified the OEMs about the issue mentioned in the bulletin and it has also released the source code patches for the issues to the Android Open Source Project (AOSP) repository.
As usual, Google continues to fix the vulnerabilities in Mediaserver. In March, there were reports about a vulnerability that enabled an attacker to use the files - H.264 and H.265 to corrupt the device's memory during the processing. These loopholes in the system allowed hackers to run remote code on Android via Mediaserver processes. Google continued to roll out security patches for these vulnerabilities in April, May, and June. And in July too, the company continues to tackle it.
Folks at TrendLabs have discovered more H.265 decoder vulnerabilities, ranging from Critical to High. Two of these vulnerabilities fall under High while the third one is Critical in nature - CVE-2017-0689, CVE-2017-0695, and CVE-2017-0540. For H.264 decoder, they found three Critical and one High Vulnerability - CVE-2017-0680, CVE-2017-0679, CVE-2017-0693, and CVE-2017-0677. TrendLabs discovered more vulnerabilities that affect MPEG2 format, which was also pointed out in the May security bulletin.
The CVE-2017-0686 vulnerability increases the volume of attacks that cause multiple reboots on the device whenever an MPEG2 video is played. On the other hand, the CVE-2017-0674 is a Critical vulnerability that enables remote code execution on the device.
July security bulletin also reveals other components. The Media Framework section comes with ten Critical vulnerabilities including the aforementioned CVE-2017-0540 vulnerability that allows remote execution in Mediaserver. Broadcom component section includes CVE-2017-9417 that allows hackers to execute malicious code within the kernel. Similarly, Qualcomm components include seven vulnerabilities that enable malicious apps to run arbitrary code within the circumference of the kernel. Qualcomm closed-source components section features 55 High rated vulnerabilities.
The security update for July tackles all the vulnerabilities so it is highly advisable to install it as soon as you get it.