June’s Android Security Bulletin Address Critical Vulnerabilities in Media Framework and Qualcomm Components

Google recently released their June security bulletin for Android, which addresses critical vulnerabilities found in Media framework, as well as various critical vulnerabilities that are based on Qualcomm components. As with previous Android security updates, this month’s bulletin is available via over-the-air updates for native Android devices or via service providers and manufacturers for non-native devices.

As is customary with Google’s monthly updates, two patch levels are involved—one labeled 2017-06-01, which is the partial security patch level that addresses all issues associated with 2017-06-01, as well as all previous security patch level strings. Among the critical vulnerabilities addressed in this patch level is CVE-2017-0637 which is the most severe in a set of seven vulnerabilities that involve Media framework. Attackers exploiting this vulnerability could use a specially crafted file to remotely cause memory corruption during media file and data processing, as well as cause multiple overflows in the H.265 media decoder (Note: we independently found and disclosed this vulnerability to Google separate from the other Media framework components) In addition, we also discovered and disclosed CVE-2017-0640, CVE-2017-0641 and CVE-2017-0643, which are High severity vulnerabilities in the Media framework component.

Also addressed in this patch level are vulnerabilities in the following components:

Bluetooth –This section includes CVE-2017-0639, a High severity vulnerability that could enable a local malicious app to access data outside of its permission levels.

Libraries – The vulnerabilities in this section comprise six High and four Moderate severity vulnerabilities. The most severe of these could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process.

System UI – This section is comprised of CVE-2017-0638, a vulnerability that could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process.

The second and more comprehensive security patch level is labeled 2017-06-05. This addresses all issues with both 2017-06-01 and 2017-06-05, as well as all previous security patch level strings. The highlight of this patch level is CVE-2017-7371, a Critical severity vulnerability in the Qualcomm component Bluetooth driver could enable a proximate attacker to execute arbitrary code within the context of the kernel.

In addition to the ones stated above, we also discovered the following vulnerabilities:

CVE-2017-6247, CVE-2017-6248, CVE-2017-6249, and CVE-2017-7369: Vulnerabilities in in both the Nvidia and Qualcomm sound drivers which could possibly be exploited by an attacker to compromise the Android kernel.

Best Practices and Trend Micro Solutions
To prevent any complications that might arise from potential attackers looking to exploit the vulnerabilities found in this bulletin, users should immediately update their devices as soon as they are available – either from Google themselves or from other service providers and manufacturers.

In addition, users can ensure a multilayered approach to mobile security by downloading Trend Micro Mobile Security (TMMS), which can detect threats that could be used to exploit vulnerabilities such as the ones addressed in this update.

Trend Micro disclosed the following vulnerabilities: