Android's revealed 58 patches, but good luck getting your paws on them: as ever, owners of Nexus devices may already have the February update but OEM customers have to wait.
CVE-2017-0406* and CVE-2017-0407 are critical-rated remote code execution bugs in Mediaserver: crafted files can corrupt memory, leading to the possibility of remote code execution. The other two Stagefright-related patches (rated high severity) are CVE-2017-0409 (a remote code execution in the libstagefright library) and CVE-2017-0415 (a privilege escalation bug in the mediaserver library).
The other critical-rated fixes are:
- Qualcomm's crypto driver is vulnerable to remote code execution in CVE-2016-8418 (up-to-date Android 7.0 isn't affected);
- A privilege escalation vulnerability in the kernel filesystem that could brick a device, CVE-2017-042 (only fixed for Nexus in binary drivers);
- A “brickable” privilege escalation vulnerability in the NVIDIA GPU driver in Nexus 9 devices (only fixed for Nexus in binary drivers);
- A 2014 Linux kernel bug in the kernel networking subsystem, also brickable, CVE-2014-9914; and
- Attackers could also brick vulnerable devices through bugs in the Broadcom Wi-Fi driver (CVE-2017-0430) and Qualcomm driver bugs that first emerged in September 2016 (CVE-2017-0431).
There are echoes of Quadrooter since like that vulnerability, 19 of the 58 fixes in are bugs in Qualcomm drivers – but only two of those are critical.
Oh, you don't own a Nexus? Well, we suppose a fix will land sometime. ®
Bootnote: * Where CVE (Common Vulnerabilities and Exposures) numbers have a public description published, we've linked to them. Most of the bugs in today's list are only described in Google's bulletin, not by Mitre, which convenes the CVE list. ®