Google Patches 58 Vulnerabilities in its February 2017 Android Security Update

Google’s latest Android Security Update has addressed 58 vulnerabilities in the Android operating system, 8 of which were rated as critical.

Google’s February 2017 Android patch has presented solutions for 58 vulnerabilities on the Android operating system, a significantly higher number in comparison to the 13 vulnerabilities that were addressed in February 2016

Following the discovery of the Stagefright vulnerabilities in 2015, Google has been consistently releasing monthly Android Security Updates in a bid to stay ahead of the flaws as well.

Another SurfaceFlinger Flaw Addressed in Latest Security Update for Android Update

Of the 58 flaws, Google has rated 8 as the most critical vulnerabilities.

One of the more prominent vulnerabilities addressed is an Android SurfaceFlinger remote code execution flaw labeled CVE-2017-0405.

This particular vulnerability gives an attacker the ability to permanently corrupt the memory of an Android device during media and data processing using remote code execution.

Google’s consequent advisory rated this as one of the critical vulnerabilities largely due to the SurfaceFlinger context.

First detected by Copperhead security researchers Daniel Micay and Scott Bauer, the SurfaceFlinger flaw posed a lot of risk for many Android users.

Micay is also credited with the discovery of Stagefright 2 media server vulnerabilities in October 2015.

The first Stagefright vulnerabilities were discovered in July 2015, and are what prompted the commencement of Google’s monthly patch schedule; February’s Android security update marked the 19th monthly security update since the process was commenced.

Four Stagefright Vulnerabilities Patched

Google’s consequent advisory rated this as one of the critical vulnerabilities largely due to the SurfaceFlinger context

In their latest patch update, Google has taken care of four Stagefright-related vulnerabilities including two critical remote code vulnerabilities labeled CVE-2017-0406 and CVE-2017-0407.

The remaining two Stagefright-related vulnerabilities have been rated as high-severity and include a remote code flaw in the Stagefright library and a privilege escalation vulnerability in the media server, labeled as CVE-2017-0409 and CVE-2017-0415, respectfully.

Google Patches Critical Privilege Escalation Vulnerabilities in Kernel File System

The CVE-2017-0427 privilege escalation vulnerability was rated as critical by Google because the issue could allow malicious applications to execute arbitrary codes within the parameters of the kernel.

When exploited, the vulnerability could lead to permanent device damage, which may necessitate an operation system re-flashing in order to repair the device in most cases.

As you may have already guessed, the data in the device will be lost unless a backup is available.

In the February 2017 Android patch update, Google also addressed a privilege escalation issue in the kernel networking subsystem, one that was categorized amongst the critical vulnerabilities in this year’s patch update.

The flaw, CVE-2014-9914, was first patched on the Linux kernel in June 2014.

19 Qualcomm Vulnerabilities Patched in February 2017 Android Security Update

The ever-present QuadRooter vulnerabilities were again patched in Google’s latest security update.

This year, 19 Qualcomm-related vulnerabilities were patched, two of which were rated as critical.

15 of these vulnerabilities were rated as high-severity, while the remaining two were considered to have moderate-severity.

The Qualcomm flaws include privilege escalation flaws and remote code execution issues.

Android Nougat OS on Google Nexus and Pixel Devices will receive the Security Update

The Google Android Security Update will not be all-encompassing, especially for older Operating Systems such as Lollipop and the dated KitKat.

However, Google Nexus and Pixel devices running Android Nougat should expect the security update soon.

The comprehensive patch information is available on https://source.android.com/security/bulletin/2017-02-01.html.

Leave a Reply