Google has teased 47 Android patches for Nexus and Pixel devices.
Among the critical bugs in the Android Security Bulletin, five concern the media framework, one is system-level, four hit Qualcomm components. The worst, Google said, is one of the media framework bugs, not yet fully disclosed, but it “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process”.
《民航网络信息安全管理规定(暂行)(征求意见稿)》公开征求意见
Two of the media framework bugs only affect Android 6.0 (31 per cent of active devices), one affects only Android 8.0 (0.3 per cent), one affects all versions between 7.0 and 8.0 (20.9 per cent), and the most widespread is in all version after 6.0 (nearly 52 per cent of devices).
Google hasn’t yet gone public with the nature of these bugs, nor has it divulged the system-level bug that affects Android 7.0 onwards, beyond saying that “a proximate attacker” could “execute arbitrary code” (in other words, vulnerable versions could be attacked over-the-air, either via WiFi, the cellular modem, or Bluetooth).
Three out of the four bugs inherited from Qualcomm are have already been revealed to the public. In CVE-2017-11043, there’s an integer overflow in the numap process (part of the WiFi code); in CVE-2016-3706 and CVE-2016-4429, there’s a stack overflow in a UDP RPC component. All three could be remotely exploitable.

国内安卓平台的应用软件让人越来越不放心,市场上假货泛滥,第三方的安全检测不够可靠,即便是从原厂网站下载的软件真实性其实也无法判断和校验,还是从谷歌应用商店下些评价高的、排名靠前的和获得了编辑推荐的比较可靠。
A Qualcomm closed-source component is vulnerable to the yet-to-be-disclosed CVE-2017-6211.
37 of the bugs are rated “High”, five of which are also Qualcomm-specific, and one upstream fix in the Linux kernel to take care of a privilege escalation bug.
Other vendors in the naughty corner include MediaTek and Nvidia, with three vulnerabilities each.
Source code patches will land within 48 hours, Pixel and Nexus firmware images are due December 5, US time, and the rest of the world can, as usual, wait for patches to wend their tired way down through vendors and carriers to land as an over-the-air update. Eventually. ®
发现不出问题的漏洞评估没有任何意义,所以安全审核人员永远都会发现您的组织中存在的一些安全问题。

猜您喜欢

…XM2017-TZ0506集美大学诚毅学院采购网络与信息安全技术服务
LBS地理位置信息泄露造成损失
CyberSecurity Law Introduction 网络安全法宣传视频系列
北京楼市成交创历史低值零首付重出江湖
CKM BERRYINET
一个信息安全动画小故事,随意丢弃损毁的U盘,被保洁员拾走,泄了密……