Android gets patches for critical flaws in media handling, hardware drivers

The Android security bulletin for May covered fixes for over 100 vulnerabilities

IDG

IDG

Android is getting security fixes for more than 100 vulnerabilities, including 29 critical flaws in the media processing server, hardware-specific drivers and other components.

Android's monthly security bulletin, published Monday, was split into two "patch levels," which are represented as date strings on the "About" page of Android devices.

The 2017-05-01 security patch level covers fixes for vulnerabilities that are common to all Android devices while the 2017-05-05 level covers additional fixes for hardware drivers and kernel components that are present only in some devices.

This month's update patches six critical vulnerabilities in Mediaserver, an Android component that handles the processing of image and video files. This component has been a source of many flaws over the past few years, being a regular presence in the monthly Android security bulletins.

The Mediaserver flaws can be exploited by tricking users to download specially crafted media files on their devices, or by sharing such files via email or some other messaging app. It's not even necessary for the user to open the file because its mere presence on the file system will cause Mediaserver to process it.

By exploiting such flaws, attackers can achieve remote code execution in the context of the Mediaserver process, which has special privileges compared to regular apps. On some devices it can even lead to a complete compromise of all data.

Mediaserver vulnerabilities can theoretically be exploited through multimedia messages (MMS), which is why Google has disabled the automated display of such messages in the default Android text messaging app and Google Hangouts. However, third-party applications might still be exposed to this attack vector.

In addition to the patches for the six critical flaws, the 2017-05-01 patch level also includes fixes for eight high-risk vulnerabilities, five moderate severity flaws and a low severity issue. Some of these vulnerabilities are also located in the Mediaserver component.

Another interesting vulnerability in the Android file-based encryption implementation could have allowed an attacker to bypass the lock screen. If left unpatched, this moderate-risk flaw can allow thieves or law enforcement authorities with physical access to a protected device to extract data from it.

The 2017-05-05 security patch also contains a fix for a remotely exploitable flaw that's related to media processing. The vulnerability is located in GIFLIB, a library that's used by the OS for reading and writing GIF format images.

The GIFLIB flaw is rated critical, but its inclusion in the second patch level suggests that it might not affect all devices.

Other critical vulnerabilities covered by this patch level are located in the MediaTek touchscreen driver, the Qualcomm and Motorola bootloaders, the NVIDIA video driver, the Qualcomm power driver, the kernel sound and trace subsystems and various other Qualcomm components.

These vulnerabilities can be exploited by a malicious application to execute arbitrary code inside the kernel -- the most privileged area of the OS -- leading to a complete and permanent compromise of the device. Recovering from such an attack requires reflashing the firmware on the affected device.

Many high and moderate severity vulnerabilities were fixed in other hardware components and kernel subsystems. For some of them, the fixes are only included in the binary files that chipset manufacturers share with device manufacturers and are not publicly available.

In fact, some of flaws included in this bulletin were already covered by patches released by chipset vendors over the past few years. However, Google decided to include them in its own bulletins now in order to associate their fixes with an Android security patch level.

Google only releases firmware updates for its supported Nexus and Pixel devices and then makes the relevant patches available to the Android Open Source Project (AOSP) -- the code that serves as a base for the firmware produced by device makers. Users should look for firmware updates for their specific devices from their manufacturers.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?