July’s Android Security Bulletin Addresses Continuing Mediaserver and Qualcomm Issues
Google has released their Android security bulletin for July in two security patch level strings: the first dated 2017-07-01 and the succeeding one dated 2017-07-05. As always, Google urges users to update and avoid any potential security issues. Owners of native Android devices should apply the latest over-the-air (OTA) updates, and non-native Android device users can look to their service providers or manufacturers for OEM-specific fixes.
This bulletin continues the tackle the vulnerabilities in Mediaserver we’ve been discussing for the past few months. In March we mentioned that an attacker can use specifically crafted files –H.264 and H.265 videos—to cause memory corruption during file processing. These vulnerabilities could also potentially allow attackers to execute remote code using Mediaserver processes. Patches for these and related media codec vulnerabilities continued to be released in April, May and June as well.
This month we discovered more H.265 decoder vulnerabilities, one Critical and two High:
And for H.264, we found three Critical and one High:
We discovered more vulnerabilities affecting MPEG2, which also had issues previously highlighted in May. CVE-2017-0686 can facilitate remote denial-of-service attacks when an MPEG2 video is played, causing device stoppages or reboots, while CVE-2017-0674 is a Critical vulnerability that can allow attackers to execute code from a remote location.
This bulletin also addresses vulnerabilities in the following components:
Media framework – This section includes ten Critical vulnerabilities, including the previously mentioned CVE-2017-0540, which is a dangerous remote code execution vulnerability in Mediaserver.
Broadcom – CVE-2017-9417 is a Critical vulnerability that could allow a proximate attacker to execute arbitrary code within the context of the kernel.
Qualcomm components – This section has seven vulnerabilities rated as High, the most severe of which would allow a local malicious application to execute arbitrary code within the context of the kernel.
Qualcomm closed-source components – This section has 55 High rated vulnerabilities. Further details can be found in Qualcomm AMSS security bulletins 2014-2016 and the fixes are available directly from the company. They are included in Google’s bulletin to connect their fixes with affected Android users.
In total, Trend Micro disclosed ten vulnerabilities—five Critical and five High:
Best Practices and Trend Micro Solutions
To prevent any complications that might arise from potential attackers looking to exploit the vulnerabilities found in this bulletin, users should immediately update their devices as soon as they are available – either from Google themselves or from other service providers and manufacturers.
In addition, users can ensure a multilayered approach to mobile security by downloading Trend Micro Mobile Security (TMMS), which can detect threats that could be used to exploit vulnerabilities such as the ones addressed in this update.