13 Critical Remote Code Execution Bugs Fixed in September Android Update

ID THREATPOST:8B2388FB499C0873E935A5E6852BCBA9
Type threatpost
Reporter Chris Brook
Modified 2017-09-20T19:59:39


Google fixed 81 vulnerabilities, including 13 critical remote code execution bugs, in the September release of its Android Security Bulletin on Tuesday.

The most concerning vulnerabilities, as usual, concern Media Framework, Android’s lightweight media player. The framework includes the MediaServer, AudioServer, CameraServer, and ExtractorService processes.

If a remote attacker used a specially crafted file, they could execute arbitrary code within the context of a privileged process via the vulnerabilities. Ten critical remote code execution bugs were fixed in this month’s Media Framework update, along with four elevation of privilege bugs, and eight denial of service.

Google also fixed a trio of critical, remote code execution vulnerabilities across its Wi-Fi driver Broadcom component, kernel components, and Qualcomm components.

While not as pressing as July’s critical BroadPwn vulnerability, this month’s Broadcom vulnerability could have let a proximate attacker execute arbitrary code in the context of a privileged user. The Broadpwn bug could have let a proximate attacker execute arbitrary code within the context of the kernel, remotely, without user interaction, and affected iPhones, HTC, LG, and Nexus devices.

Like the Media Framework vulnerability, the kernel and Qualcomm bugs could both allow a remote attacker to execute arbitrary code in the context of a privileged process if they used a specially crafted file. The Qualcomm vulnerability exists in the shared object library LibOmxVenc.

Additional bugs fixed in the update could have let a malicious app bypass interaction requirements to gain additional permissions, cause an app to hang or freeze up, or execute arbitrary code within the context of an unprivileged process.

Google says it hasn’t received any reports the vulnerabilities fixed this month have been exploited, but is encouraging Android users to update when given the opportunity. The 13 critical vulnerabilities mark a slight uptick over July, when Google addressed 11 critical bugs, and August when it patched 10 critical RCEs.

Researchers with China’s Qihoo 360, C0RE Team, and Alibaba’s mobile security research team discovered the bulk of the vulnerabilities. Researchers with Tencent’s Xuanwu Lab, Palo Alto Networks, and Trend Micro are also credited with finding vulnerabilities fixed this month.

While multiple Android versions are addressed by the security update, September’s Android Security Bulletin is the first time Android 8.0, Oreo, has received an update. The lowest level OS receiving an update this month is Android 4.4, KitKat, released back in September 2013.

Per usual, Google released an over the air (OTA) update for its Google devices to incorporate the fixes but it’s up to OEMs to ensure non-Pixel and Nexus devices are updated. According to the bulletin Google devices like the Pixel, Pixel XL, Pixel C, Nexus Player, Nexus 5X, and Nexus 6P should all receive the September security patches by upgrading to Android Oreo.