KRACK whacked, media playback holes packed, other bugs go splat in Android patch pact

Update your firmware ASAP to avoid being hacked

Google has released its November security update for Android, addressing a bag of security holes.

You should install them as soon as they are available for your phone, tablet and other gadgets. Depending on your mobile carrier and device manufacturer, they may arrive immediately, soon, late or never.

Among the holes covered by the release is the KRACK Wi-Fi key reinstallation flaw that made headlines last month after researchers described how the flaw could potentially allow eavesdropping on nearby wireless network traffic. Google's fixes cover nine CVE entries: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.

Of the 31 CVE entries covered in the update, nine are for remote code execution flaws rated as critical priorities by Google. Those include five flaws in Media Framework (CVE-2017-0832, CVE-2017-0833, CVE-2017-0834, CVE-2017-0835, CVE-2017-0836), one in System (CVE-2017-0841) and three in Qualcomm's WLAN software (CVE-2017-11013, CVE-2017-11014, CVE-2017-11015) that were discovered by Linux kernel developer Scotty Bauer and detailed earlier this week.

Android patch

Google's answer to the Pixel 2 XL CRT-style screen burn in: Lower the brightness


The Media Framework bugs can be exploited by malicious videos and similar files: when viewed by a mark, the media can potentially execute malware hidden in the data with high privileges to take over a device. Similarly, the System flaw can be exploited by tricking someone into opening a booby-trapped document to execute code on the device with high privileges.

Among the "high" priority flaws are a pair of elevation of privilege holes in the Android kernel: one in the networking subsystem (CVE-2017-9077) and one in WLAN (CVE-2017-7541). Two other elevation of privilege flaws were found in the Android framework APIs (CVE-2017-0830, CVE-2017-0831) and two information disclosure bugs were spotted in in media framework (CVE-2017-0839, CVE-2017-0840).

Devices using Nvidia components will need an update to address an elevation of privilege flaw in the GPU driver (CVE-2017-6264), while MediaTek modem chips are getting an update to address an elevation of privilege bug (CVE-2017-0843) in CCCI.

In addition to the three WLAN remote code flaws, Qualcomm hardware was the subject of fixes for elevation of privilege flaws in its GPU driver (CVE-2017-11092), Linux boot component (CVE-2017-11017) and the driver for the QBT1000 fingerprint sensor (CVE-2017-9690).

These elevation-of-privilege bugs can be used by dodgy apps to silently gain full control over a device, and spy on owners or cause merry mischief.

Fandroids with Nexus and Pixel devices will be able to get the November Android update directly from Google. ®

Other stories you might like

Biting the hand that feeds IT © 1998–2022