KRACK whacked, media playback holes packed, other bugs go splat in Android patch pact

Update your firmware ASAP to avoid being hacked


Google has released its November security update for Android, addressing a bag of security holes.

You should install them as soon as they are available for your phone, tablet and other gadgets. Depending on your mobile carrier and device manufacturer, they may arrive immediately, soon, late or never.

Among the holes covered by the release is the KRACK Wi-Fi key reinstallation flaw that made headlines last month after researchers described how the flaw could potentially allow eavesdropping on nearby wireless network traffic. Google's fixes cover nine CVE entries: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.

Of the 31 CVE entries covered in the update, nine are for remote code execution flaws rated as critical priorities by Google. Those include five flaws in Media Framework (CVE-2017-0832, CVE-2017-0833, CVE-2017-0834, CVE-2017-0835, CVE-2017-0836), one in System (CVE-2017-0841) and three in Qualcomm's WLAN software (CVE-2017-11013, CVE-2017-11014, CVE-2017-11015) that were discovered by Linux kernel developer Scotty Bauer and detailed earlier this week.

Android patch

Google's answer to the Pixel 2 XL CRT-style screen burn in: Lower the brightness

READ MORE

The Media Framework bugs can be exploited by malicious videos and similar files: when viewed by a mark, the media can potentially execute malware hidden in the data with high privileges to take over a device. Similarly, the System flaw can be exploited by tricking someone into opening a booby-trapped document to execute code on the device with high privileges.

Among the "high" priority flaws are a pair of elevation of privilege holes in the Android kernel: one in the networking subsystem (CVE-2017-9077) and one in WLAN (CVE-2017-7541). Two other elevation of privilege flaws were found in the Android framework APIs (CVE-2017-0830, CVE-2017-0831) and two information disclosure bugs were spotted in in media framework (CVE-2017-0839, CVE-2017-0840).

Devices using Nvidia components will need an update to address an elevation of privilege flaw in the GPU driver (CVE-2017-6264), while MediaTek modem chips are getting an update to address an elevation of privilege bug (CVE-2017-0843) in CCCI.

In addition to the three WLAN remote code flaws, Qualcomm hardware was the subject of fixes for elevation of privilege flaws in its GPU driver (CVE-2017-11092), Linux boot component (CVE-2017-11017) and the driver for the QBT1000 fingerprint sensor (CVE-2017-9690).

These elevation-of-privilege bugs can be used by dodgy apps to silently gain full control over a device, and spy on owners or cause merry mischief.

Fandroids with Nexus and Pixel devices will be able to get the November Android update directly from Google. ®


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2022