The hits keep coming for the Android platform. Previously, in the February 2017 Security Bulletin, there were eight vulnerabilities marked Critical. This month, that number jumps to an unheard of eleven Critical issues. Let's take a look at those Critical flaws that are detailed in the March 2017 Android Security bulletin.
Check your security release
Before we highlight what's included with the March 2017 Android Security Bulletin, it's always good to know what security release is installed on your device. Of the Android devices I use regularly, the Verizon-branded Nexus 6, running Android 7.0, finally caught up to the latest security bulletin (Figure A). However, my daily driver, a OnePlus 3, is still lagging with the December 2016 security update. Although the OnePlus 3 has been upgraded to Nougat, the security patch is still behind; my guess is the security patch update will not happen until the device is upgraded to 7.1.1.
Figure A
Critical Issues
Remote code execution vulnerability in OpenSSL & BoringSSL
There's nothing boring about BoringSSL, especially when it suffers from a critical vulnerability. In fact, both OpenSSL and BoringSSL have been found to contain issues. This particular remote code execution vulnerability could enable an attacker, using a malicious file, to cause memory corruption during file and data processing. Because of the possibility of remote code execution within the context of a privileged process, this vulnerability is marked as Critical.
Related bug: A-32096880
Remote code execution vulnerability in Mediaserver
There's a certain comfort in knowing the Mediaserver will continue to return to the Security Bulletin — like a dear friend that never leaves. Yet another remote code execution vulnerability could enable the attacker, using a malicious file, to cause memory corruption during the processing of either a media file or media-related data. Because of the possibility of remote code execution within the context of the Mediaserver, this vulnerability has been rated as Critical.
Related bugs: A-33139050, A-33250932, A-33351708, A-33450635, A-33818500, A-33816782, A-33862021, A-33982658, A-32589224
Elevation of privilege vulnerability in recovery verifier
A new entry to the Critical scene, the recovery verifier has been found to contain an elevation of privilege vulnerability. This vulnerability could enable a locally installed, malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this issue is rated as Critical.
Related bug: A-31914369
Elevation of privilege vulnerability in MediaTek components
MediaTek components (including the M4U, sound, touchscreen, GPU, and Command Queue drivers) have been discovered to contain an elevation of privilege vulnerability. This flaw could enable a local, malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require reflashing the operating system), this vulnerability has been marked as Critical.
Related bugs: A-28429685, M-ALPS02710006, A-28430015, M-ALPS02708983, A-28430164, M-ALPS02710027, A-28449045, M-ALPS02710075, A-30074628, M-ALPS02829371, A-31822282, M-ALPS02992041, A-32276718, M-ALPS03006904
NOTE: The patch for the A* bugs is not publically available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.
Elevation of privilege vulnerability in NVIDIA GPU driver
The NVIDIA GPU driver has been found to contain an elevation of privilege vulnerability. This flaw could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this vulnerability has been marked as Critical.
Related bugs: A-31992762, N-CVE-2017-0337, A-33057977, N-CVE-2017-0338, A-33899363, N-CVE-2017-0333, A-34132950, N-CVE-2017-0306, A-33043375, N-CVE-2017-0335
NOTE: The patch for the A* bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.
Elevation of privilege vulnerability in kernel ION subsystem
The ION Memory Allocator has been found to contain an elevation of privilege vulnerability. This kernel vulnerability could enable a local malicious application to execute arbitrary, malicious code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this flaw has been marked as Critical.
Related bugs: A-31992382, A-33940449
NOTE: The patch for the A* bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.
Elevation of privilege vulnerability in Broadcom Wi-Fi driver
The Broadcom Wi-Fi driver has been found to contain an elevation of privilege vulnerability. This vulnerability could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this flaw has been marked as Critical.
Related bugs: A-32124445, B-RB#110688
NOTE: The patch for the A* bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.
Elevation of privilege vulnerability in kernel FIQ debugger
The kernel FIQ (Fast Interrupt reQuest) debugger has been found to contain an elevation of privilege vulnerability. This vulnerability could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this flaw has been marked as Critical.
Related bug: A-32402555
NOTE: The patch for the A* bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.
Elevation of privilege vulnerability in Qualcomm GPU driver
The Qualcomm GPU driver has been found to contain an elevation of privilege vulnerability. This vulnerability could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this flaw has been marked as Critical.
Related bugs: A-31824853, QC-CR#1093687
NOTE: The patch for the A* bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.
Elevation of privilege vulnerability in kernel networking subsystem
Even the the kernel network subsystem isn't immune to elevation of privilege vulnerabilities. Like many of the other critical vulnerabilities, the flaw in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. Because of the possibility of permanent device compromise (which could require the reflashing of the operating system), this flaw has been marked as Critical.
Related bugs: A-33393474, A-33753815
Critical vulnerabilities in Qualcomm components
The Qualcomm component vulnerability has returned for another month, only this time with a few extra bugs. Numerous Qualcomm components have been discovered to contain critical vulnerabilities and were determined to be Critical by Qualcomm. Unfortunately, Qualcomm only shares the information regarding these flaws with customers.
Related bugs: A-28823575, A-28823681, A-28823691, A-28823724, A-31625756
Note that any device running Android 7.0 is safe from these issues and the patch for the A* bugs is not publicly available and can be found within the latest binary drivers for Nexus devices from the Google Developer site.
Upgrade and update
The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available. To see the full listing of vulnerabilities (which includes a number of High and Moderate issues), check out the March 2017 Android Security Bulletin.
Also see
- Android ransomware up more than 50%, locking users' devices until they pay (TechRepublic)
- Don't use Android pattern lock to protect secrets, researchers warn (ZDNet)
- Android Security Bulletin February 2017: What you need to know (TechRepublic)
- Android Security Bulletin January 2017: What you need to know (TechRepublic)
- Android Security Bulletin December 2016: What you need to know (TechRepublic)
- Android Security Bulletin November 2016: What you need to know (TechRepublic)
- Android Security Bulletin October 2016: What you need to know (TechRepublic)
- Android Security Bulletin August 2016: What you need to know (TechRepublic)
- Android June 2016 Security Bulletin: What you need to know (TechRepublic)
- Android Security Update May 2016: What you need to know (TechRepublic)
- Android Security Update April 2016: What you need to know (TechRepublic)
- Android Security Update March 2016: What you need to know (TechRepublic)
- Guidelines for building security policies (Tech Pro Research)
Full Bio
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.