In a recent September release Android update, Google was able to fix 81 system vulnerabilities such as the 13 critical remote code execution bugs of its Android Security Bulletin just the past Tuesday. One of the most worrisome vulnerability as usual is Android’s lightweight media player, Media Framework which includes the MediaServer, AudioServer, CameraServer and the ExtractorService processes.
In a case where a remote hacker utilizes a specially crafted file, they could execute the arbitrary code within the context of a privileged process by taking advantage of the vulnerabilities. In this month’s Media Framework update, there were ten critical remote code execution fixed including the four elevation of privilege bugs as well as eight denial of service.
Aside from that, Google also fixed three critical remote code execution vulnerabilities on its Wi-Fi driver Broadcom component, Qualcomm components and kernel components. And while it’s not as pressing as the July’s critical BroadPwn vulnerability, September’s Broadcom vulnerability would have let an attacker in executing an arbitrary code in the context of a privileged user. And even without any user interaction, and affected iPhones, HTC, LG and Nexus devices, the BroadPwn bug could have let a proximate attacker in executing arbitrary code within the context of the kernel remotely.
Both the kernel and Qualcomm bugs could allow a remote attacker to execute arbitrary code in the context of a privileged process provided they use a special crafted file just like the Media Framework vulnerability. This vulnerability in Qualcomm is found in the shared object library, LibOmxVenc. While the other bugs that were also fixed in the update could have let a malicious app bypass interaction requirements to obtain additional permissions, cause some apps to lag or freeze up, or to execute arbitrary code within the context of an unprivileged process.
According to Google, it hasn’t received any reports regarding the vulnerabilities that were fixed this month have been exploited but they are encouraging Android users to update if they have the chance to. These 13 vulnerabilities signified a slight increase over July and August when Google addresses 11 critical bugs and when it patched over 10 critical RCEs, respectively. These massive vulnerabilities was discovered by researchers with China’s Qihoo 360, C0RE Team and Alibaba’s mobile security research team. While the vulnerabilities fixed this month is also credited to the researchers with Tencent’s Xuanwu Lab, Palo Alto Networks and Trend Micro.
And despite all the multiple versions of Android that were addressed by the security update, this month’s Android Security Bulletin is certainly the first time for Android 8.0 Oreo to get an update. On the other hand, the lowest level of Android OS to receive an update this month is Android KitKat 4.4 which was released way back in September 2013.
As usual, Google also released an OTA or over the air update for all its Google devices to incorporate the bug fixes. However, it’s still up to OEMs to make sure that non-Pixel and Nexus devices are updated. As per the bulletin, Google devices such as the Pixel, Pixel XL, Pixel C, Nexus Player, Nexus 5X and the Nexus 6P will receive the security patches for this month when they upgrade to Android Oreo.