Google Patches Critical Encryption Bug Impacting Pixel, Nexus Phones

Google patched a critical encryption bug found on its Pixel, Pixel 2 and Nexus phones this week along with delivering 49 other fixes, part of its December Pixel / Nexus Security Bulletin.
Five of the patches relate to vulnerabilities rated high. One of the patches (CVE-2017-13167) is for an elevation of privilege vulnerability and four others could open the door for a denial of service attack, according to Google.
Related Posts
The only critical patch (CVE-2017-14907) is tied to a bug in “Qualcomm closed-source components” that weakens the cryptographic strength of handsets while it derives a disk encryption key, Google stated.
彭劲松:云计算时代IT职能将从服务保障转变为IT治理

A Common Vulnerabilities and Exposures (CVE-2017-14907) description of the encryption bug states: “In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, cryptographic strength is reduced while deriving disk encryption key.”
Android CAF (Custom Android Firmware) releases are custom branches of the Linux kernel developed to support Qualcomm chipsets. Qualcomm MSM chips are processors made for older model high-end phones. And Android for MSM, Firefox OS for MSM and QRD (Qualcomm Reference Design) Android each are Android projects that extend support for the Qualcomm MSM chips.
According to those familiar with the encryption bug, the vulnerability was discovered, patched and an update was released to customers and partners in May by Qualcomm. Qualcomm declined to comment on the vulnerability.
The Pixel/Nexus Security Bulletin coincided with the release of Google’s Android Security Bulletin. A total of 47 vulnerabilities and patches were listed in that report, with 10 rated critical in severity.
“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” according to the bulletin.
Google lists critical Media framework vulnerabilities (CVE-2017-0872, CVE-2017-0876, CVE-2017-0877, CVE-2017-0878 and CVE-2017-13151) that each create conditions favorable to a remote code execution attack on Android handsets. Media framework codecs impacted are libmpeg2, libhevc, libavc and libskia.
Google’s Android bulletin also warns of four critical Qualcomm component vulnerabilities, three of which are also tied to remote code execution conditions. Other vendors mentioned in the Android bulletin are Broadcom, Kernel, MediaTek and NVIDIA.
Patches are delivered over the air by handset manufactures and Google urges customers to accept and apply patches to their devices.
我们经常教育员工,密码用于识别我们的身份,保护密码就是保护我们的身份,要将私人帐户的密码与工作用账户的密码设置为不同。否则,一旦私人账号密码被击破,不良的攻击者可能会冒用我们的身份在公司进行破坏,反之亦然。
丢失电话远程定位、锁定及删除程序热火,多数智能手机都已经有远程定位手机的功能,用于在手机丢失后减少相应的损失。

猜您喜欢

蚂蚁金服成立企业安全响应联盟 聚生态力量为企业构筑网络安全屏…
安全管理者的利器——安全意识培训工具箱
Cyber Security Law 网络安全法宣传视频《网络安全法》背景知识
国防科大连续4年夺得国际遗传工程机器设计大赛金奖
ATEN TMSNEURO
儿童监控、安防产业、智能家庭与信息安全