Another month, another round of Android patches – although October's batch is pleasantly small compared to other recent releases.
Of the 14 CVE flaws released, six cover Android's troubled media processing and playback engine. This means miscreants can fling malicious files at devices to potentially hijack them. The privilege escalation bugs can be used by dodgy apps to gain control of handsets and tablets. There's also a remote-code execution flaw in the Dnsmasq tool used by Android.
Details of the flaws are vague, presumably to make it harder for miscreants to pinpoint exploitable code, and what we know is as follows:
Three flaws (CVE-2017-0809, CVE-2017-0810, CVE-2017-0811) in the media framework are rated critical by Google since they allow remote code execution in privileged processes, triggered by opening or receiving booby-trapped media files, and affect Android 4.4 to the current version. CVE-2017-0811, rated high, is a privilege escalation issue in versions 7 and 8.
There are also two moderate flaws, CVE-2017-0815 and CVE-2017-0816, that leak information on all currently supported Android builds. In addition there's a high severity flaw (CVE-2017-0806) in Android 6 or newer versions. It allows an attacker or a dodgy app to work its way up the privilege chain to hijack the device when exploited.
System-level flaws are usually the most serious but there's only one this month – CVE-2017-14496. This is a high severity flaw in Dnsmasq allowing remote malicious code to run on a handset when exploited and is found in all versions of Android from version 4.4 onwards.
There's also a pair of high-severity privilege escalation flaws in the Android kernel – CVE-2017-7374 for the file system and CVE-2017-9075 for the Network subsystem. All Android versions need these patches. The same issue also affects MediaTek system-on-a-chip driver software and is addressed with CVE-2017-0827.
Finally, there are three updates for Qualcomm components used by all versions of Android. Two of these are critical; CVE-2017-11053 for fix an issue with the system-on-a-chip driver that allows remote code execution and CVE-2017-9714 fixing the network subsystem to block privilege escalation.
The last patch, rated as high severity, blocks an attacker from increasing their privileges by exploiting a flaw in the Linux boot system used by Qualcomm hardware.
All the patches can be found here. Fixes will be pushed out to Nexus phones this month, and other Android devices when their manufacturers eventually get round to it. ®