Google Patches Critical Encryption Bug Impacting Pixel, Nexus Phones

Google patched a critical encryption bug found on its Pixel, Pixel 2 and Nexus phones this week along with delivering 49 other fixes, part of its December Pixel / Nexus Security Bulletin.
Five of the patches relate to vulnerabilities rated high. One of the patches (CVE-2017-13167) is for an elevation of privilege vulnerability and four others could open the door for a denial of service attack, according to Google.
Related Posts
The only critical patch (CVE-2017-14907) is tied to a bug in “Qualcomm closed-source components” that weakens the cryptographic strength of handsets while it derives a disk encryption key, Google stated.
A Common Vulnerabilities and Exposures (CVE-2017-14907) description of the encryption bug states: “In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, cryptographic strength is reduced while deriving disk encryption key.”
Android CAF (Custom Android Firmware) releases are custom branches of the Linux kernel developed to support Qualcomm chipsets. Qualcomm MSM chips are processors made for older model high-end phones. And Android for MSM, Firefox OS for MSM and QRD (Qualcomm Reference Design) Android each are Android projects that extend support for the Qualcomm MSM chips.
信息系统安全是指利用信息安全技术及管理手段,保护信息在采集、传输、交换、处理和存储等过程中的可用性、保密性、完整性和不可抵赖性,保障信息系统的安全、稳定运行。
According to those familiar with the encryption bug, the vulnerability was discovered, patched and an update was released to customers and partners in May by Qualcomm. Qualcomm declined to comment on the vulnerability.
The Pixel/Nexus Security Bulletin coincided with the release of Google’s Android Security Bulletin. A total of 47 vulnerabilities and patches were listed in that report, with 10 rated critical in severity.

“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” according to the bulletin.
Google lists critical Media framework vulnerabilities (CVE-2017-0872, CVE-2017-0876, CVE-2017-0877, CVE-2017-0878 and CVE-2017-13151) that each create conditions favorable to a remote code execution attack on Android handsets. Media framework codecs impacted are libmpeg2, libhevc, libavc and libskia.
Google’s Android bulletin also warns of four critical Qualcomm component vulnerabilities, three of which are also tied to remote code execution conditions. Other vendors mentioned in the Android bulletin are Broadcom, Kernel, MediaTek and NVIDIA.
万通地产(600246)早盘大幅飙升10.09% 量比达57.26
Patches are delivered over the air by handset manufactures and Google urges customers to accept and apply patches to their devices.
截取HTTP会话或Cookie这类比较繁琐的操作,会像ARP攻击工具一样,越来越普及,也越来越容易被黑客和脚本小孩用来发动攻击。

猜您喜欢

档案管理更加规范化信息化
信息化环境下的政府部门保密工作问题研究
网络安全法普法宣传 004《网络安全法》的突出亮点
小加索尔17分难救主 灰熊85-99不敌尼克斯
FELDFIRE FRANTICSTAMPER
浅谈支付卡行业信息安全