Google’s security teams are keeping busy this week, updating the Android mobile operating system and Chrome browser for Windows, macOS and Linux.
Once again, Google is patching multiple vulnerabilities in the much maligned media framework component. In total, there are seven different vulnerabilities in the Android media framework, with one remote code execution issue (CVE-2017-0637) rated as critical and the other six denial of service issues (CVE-2017-0391, CVE-2017-0640, CVE-2017-0641, CVE-2017-0642, CVE-2017-0643 and CVE-2017-0644) rated as high impact.
“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to cause memory corruption during media file and data processing,” Google warned in its advisory.
There is also a high-severity remote code execution vulnerability identified as CVE-2017-0638 in the Android system user interface that is being patched. According to Google, the CVE-2017-0638 vulnerability could have potentially enabled an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process.
Non-Google drivers and components from MediaTek, NVIDIA, Qualcomm and Synaptics are also being patched in the June Android update.
Android security awards
The June Android update comes as Google is increasing the awards it pays to third-party security researchers as part of the Android Security Rewards bug bounty program. The Android Security Rewards got started in 2015 paying security researchers for responsibly disclosing bugs in Android.
In 2016 the program paid out $1.1 million in awards to researchers, with payments made to 115 individuals. Google stated that it paid an average of $2,150 per reward and $10,209 in total per researcher.
Google is now boosting its bug bounty payout for certain classes of critical vulnerabilities in Android. Google will now offer a $200,000 for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise, which is an increase from the $50,000 it previously offered.
Google is also boosting what it pays for a remote kernel exploit increase from $30,000 to $150,000.
On June 5, Google also released an update to the Chrome browser for Windows, macOS and Linux. The Chrome 59.0.3071.86 update includes patches for 30 security issues, of which at least 16 were reported by third party security researchers.
Of the 16 issues that were reported by security researchers, five issues were rated as high severity, eight as medium and three as low. Google is paying the third party researchers a total of $23,500 for the reported issues.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.