Android security alert: Google’s latest bulletin warns of 47 bugs, 10 critical

Google has published its Android security bulletin for December, warning of 47 bugs across the operating system.
Tech Pro Research
IT leader’s guide to the threat of fileless malware
智能互联成热点,天威视讯亮相多项”黑科技”
Network security policy
Lunch and learn: BYOD rules and responsibilities
公司应该设立独立于信息技术部门的信息科技风险审计岗位,负责信息科技审计制度制订和信息系统风险评估与审计。
Guidelines for building security policies
Security awareness and training policy
Ten of the vulnerabilities are rated ‘critical’ in their potential impact, the most severe type of bug, while the other 37 are rated as ‘high’ priority.
Google said it had split the vulnerabilities into two patch levels in its alert, so that Android smartphone makers can fix a subset of vulnerabilities that are similar across all Android devices more quickly, should they want to.
But it warned: “Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.” It recommended that they bundle the fixes for all the issues they are addressing in a single update.
Google said among the most severe of these flaws is a critical security vulnerability in the media framework that could enable a remote attacker, using a specially crafted file, to execute arbitrary code within the context of a privileged process.Google is urging Android device makers to fix all the issues in its December security bulletin.
Image: Getty Images
The first group of 19 vulnerabilities, 2017-12-01, also includes a flaw in the framework section, which could enable a local malicious application to bypass user interaction requirements to gain access to additional permissions. Under system, the worst bug could allow a “proximate attacker” to execute arbitrary code within the context of a privileged process.
The second group of 27 bugs, 2017-12-05, security patch level includes under kernel components a vulnerability that could allow local malicious applications to execute arbitrary code.

There are also vulnerabilities in MediaTek and Nvidia components that could let a local malicious app execute arbitrary code within the context of a privileged process. The bulletin also lists nine vulnerabilities in Qualcomm components and nine vulnerabilities in Qualcomm closed-source components.
These bugs won’t come as a surprise to the makers of Android smartphones. Google’s partners are notified of all issues at least a month before publication. Source-code patches for these issues will be released to the Android Open Source Project repository in the next 48 hours.
Google said exploiting issues on Android is made more difficult by features in newer versions of the Android platform: “We encourage all users to update to the latest version of Android where possible.”
However, not all Android makers feel that updating old hardware to the newest version of Android is a particular priority, leaving many smartphones languishing on older and therefore less secure versions.Previous and related coverage Android’s big problem: Over a billion devices are more than two years out of date Android’s rapid growth and update challenges have left over one billion devices running very out of date software. Android security triple-whammy: New attack combines phishing, malware, and data theft Attacks on three fronts ensure attackers have all the information they need to steal banking details in the latest evolution of the Marcher malware, warn researchers. Google says these are the best Android apps of 2017 but do you agree? Google names most popular and best Android apps of the year.Read more on Android securityGoogle names 42 Android devices with users running security updates from last two monthsAndroid Oreo: Google adds in more Linux kernel security featuresGoogle Play Protect rolling out to Android devices for better securityAmazon’s app store compromises Android securityMost Android users running outdated security patches: report (CNET)iOS and Android security: A timeline of the highlights and the lowlights (TechRepublic)
Related Topics:
Enterprise Software
Security TV
Data Management
要定期检查微博账号的应用授权访问情况,在发现异常时,及时取消对不良应用的访问授权,以便清除不安隐患。

猜您喜欢

获国家“信息系统安全等级保护”三级认证的互金平台仅86家 甘肃省…
适用于任何行业的EHS电子教学课程
网络安全法实施宣传
万元无人机“生前”最后一张照片
HOWDOESSHE TIMELESSBODYART
从对准入控制的挑战看安全博弈