Google Monday announced five major Android bugs for October Android Security Bulletin. In order to patch these vulnerabilities, in total 14 patches were established varying from critical to high.
In comparison, relatively low exposures were detected in October because this month Google decided to take care of its security bulletins differently. Google introduced a unique monthly Pixel/Nexus Security Bulletin designed especially for October, which covers vulnerabilities for Pixel and Nexus.
The Android Security Bulletin is going to accomplish patch levels monthly but because of the change, on Monday, Google only established 14 patches for October.
According to Google, three of detected critical vulnerabilities are attached to remote code execution errors discovered in the operating system’s media framework. The other two bugs are involved with Qualcomm features.
In addition, the Bulletin combines an adjustment for the Dnsmasq software drawbacks that influence devices with Android OS, Mac OS X operating systems, a range of Linux distributions, IoT smart devices, as well as routers.
According to Google, one of the most serious vulnerability was EoP error – CVE-2017-08-06 – escalation of privileges vulnerability. This bug has an impact on Android versions from 6.0 (Marshmallow) to 8.0 (Oreo) operating systems. Google reported that the error “could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.”
Another EoP vulnerability is CVE-2017-7374 which impacts the operating system’s file system. F5, the Apps security company, noted that the error is a use-after-free vulnerability in cryptographic file system known as fs/crypto in the Linux kernel.
Other errors detected in Android kernel features could empower a malicious app in order to operate arbitrary code.
One more critical bug that includes EoP is CVE-2017-9075 which is also attached to the operating system’s kernel and the network subsystem. Cybersecurity experts at Brocade reported that “An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.”
The Android Security Bulletin also announced a group of patches on the hardware side, such as patches for Qualcomm and MediaTek.
A couple of the Qualcomm severe bugs include CVE-2017-11053 and CV-2017-9714. The first one fixes the system-on-a-chip driver issue that enables remote code operation. Meanwhile, the second one addresses an error in the network subsystem.
The final patch, CVE-2017-0827) is attached to a MediaTek system-on-a-chip driver bug.
Google reported on the Android Security Bulletin:
Security vulnerabilities that are documented in (the Android) security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in device/partner security bulletins are not required for declaring a security patch level.