Google Patches KRACK Wi-Fi Flaw in Android November Security Update

Some vendors take longer than others to update for critical vulnerabilities – case in point is Google’s Android mobile operating system. On Nov. 6, Google released an Android update, patching a vulnerability that IT vendors have known about for months.

On Oct. 16, security researcher Mathy Vanhoef, working at Belgian University KU Leuven, publicly disclosed the KRACK Wi-Fi vulnerability that affected all Wi-Fi devices that use WPA2 encryption, including every Android device ever built.

KRACK is an acronym for Key Reinstallation Attacks and is attack that is able to replay and reuse in-use encryption keys in order to give an attacker unauthorized access. Vanhoef worked with CERT/CC to responsibly disclose the issue and provide vendors with time to patch. The initial private disclosure was sent out to impacted vendors, including Google, on Aug. 28.

Multiple vendors, including Microsoft, Aruba, Cisco, Red Hat, Juniper Networks, ZyXEL and Intel, had KRACK patches available on Oct. 16. Apple was a laggard to the KRACK patch, releasing an update on Oct. 31, though Apple was still able to release a patch a week before Google.

Google’s November Android update finally includes multiple patches for KRACK, though they are not specifically identified as KRACK patches by Google. Rather Google has included the KRACK updates under the System category of the Android November security updates.

“The most severe vulnerability in this section could enable a proximate attacker to bypass user interaction requirements before joining an unsecured Wi-Fi network,” Google’s advisory warns.

In total Google is patching nine different vulnerabilities that are KRACK related including: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088. Google has simply labelled the vulnerabilities has being EoP (elevation of privilege) with high severity.

“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations,” Vanhoef wrote in his original KRACK advisory. “Therefore, any correct implementation of WPA2 is likely affected.”?

Media Framework

In addition to the KRACK patches, Google is once again patching for multiple flaws in Android’s much-maligned media framework library. In the November update, there are seven different media framework related issues being patched, five of which are rated as critical and the remaining two as high severity.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google warned in its advisory.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Top Cybersecurity Companies

Cybersecurity is the hottest area of IT spending. That's why so many vendors have entered this lucrative $100 billion+ market. But who are the...

Top Endpoint Detection and Response (EDR) Solutions

Endpoint security is a cornerstone of IT security, so our team put considerable research and analysis into this list of top endpoint detection and...

Top CASB Security Vendors for 2021

Any cloud-based infrastructure needs a robust cloud access security broker (CASB) solution to ensure data and application...

Best SIEM Tools & Software for 2021

Security Information and Event Management (SIEM, pronounced "sim") is a key enterprise security technology, with the ability...

Related articles