dcsimg

Google Patches Android for 47 Vulnerabilities in Final Update for 2017

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Email  

Google released what is likely its final Android security update for 2017 on Dec. 4, patching at least 42 different vulnerabilities.

Among the vulnerabilities patched by Google are 11 flaws in the media framework, of which five are critical remote code execution issues.

"The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process," Google warned in its advisory.

The Android media framework includes the libmedia and libstagefright components, which have been patched in nearly every single Google Android security update since August 2015. Google only began its regular monthly patch update cycle for Android after the Stagefright vulnerability was first publicly disclosed at Black Hat USA 2015 and has struggled with patching the much-maligned component ever since.

There is also a critical remote code execution flaw in the Android "System" component identified only as CVE-2017-13160 that is patched in the December update. Google warns that the vulnerability could enable a proximate attacker to execute arbitrary code within the context of a privileged process.

Once again, Google is also pulling in fixes for security vulnerabilities that have been already patched in the upstream Linux kernel as well. Among the patched issues is CVE-2017-7533, which is a privilege escalation issue with file handling that was patched by the Linux community back on July 7.

Another often patched area of Android in 2017 has been components from third-party vendors, including Qualcomm, Nvidia and MediaTek. In the December update, there are 18 different updates for various Qualcomm components, including three critical remote code execution issues.

"The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process," Google warned in its advisory.

Though Google is still dealing with some of the same core issues in Android security that have plagued the platform for years, the December vulnerability tally is an improvement of sorts. Google's first Android patch update for 2017 actually provided fixes for 90 different issues, while the December 2016 patch update provides patches for 74 flaws.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.

Submit a Comment

Loading Comments...