Google has teased 47 Android patches for Nexus and Pixel devices.
Among the critical bugs in the Android Security Bulletin, five concern the media framework, one is system-level, four hit Qualcomm components. The worst, Google said, is one of the media framework bugs, not yet fully disclosed, but it “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process”.
Two of the media framework bugs only affect Android 6.0 (31 per cent of active devices), one affects only Android 8.0 (0.3 per cent), one affects all versions between 7.0 and 8.0 (20.9 per cent), and the most widespread is in all version after 6.0 (nearly 52 per cent of devices).
Google hasn’t yet gone public with the nature of these bugs, nor has it divulged the system-level bug that affects Android 7.0 onwards, beyond saying that “a proximate attacker” could “execute arbitrary code” (in other words, vulnerable versions could be attacked over-the-air, either via WiFi, the cellular modem, or Bluetooth).
Three out of the four bugs inherited from Qualcomm are have already been revealed to the public. In CVE-2017-11043, there’s an integer overflow in the numap process (part of the WiFi code); in CVE-2016-3706 and CVE-2016-4429, there’s a stack overflow in a UDP RPC component. All three could be remotely exploitable.
A Qualcomm closed-source component is vulnerable to the yet-to-be-disclosed CVE-2017-6211.
37 of the bugs are rated “High”, five of which are also Qualcomm-specific, and one upstream fix in the Linux kernel to take care of a privilege escalation bug.
Other vendors in the naughty corner include MediaTek and Nvidia, with three vulnerabilities each.
Source code patches will land within 48 hours, Pixel and Nexus firmware images are due December 5, US time, and the rest of the world can, as usual, wait for patches to wend their tired way down through vendors and carriers to land as an over-the-air update. Eventually. ®