Among the 138 vulnerabilities disclosed in its Android Security Bulletin for July 2017, Google reported a critical flaw in media framework that could enable a remote attacker to execute arbitrary code using a specially crafted file. Google classified the media framework issue as severe based on its potential impact on an infected device.
The good news is that Google has received no reports of active customer exploitation or abuse of these newly reported Android vulnerabilities. Still, the technology giant implored users to accept its updates as soon as possible.
Patching Android Vulnerabilities
The monthly update is split into two partial security patch level strings: The 2017-07-01 security patch level addresses issues in the Android platform, while the 2017-07-05 level resolves device-specific vulnerabilities in components supplied by manufacturers, SecurityWeek reported. The update fixed 27 vulnerabilities in media framework. Ten of these issues were viewed as critical, 15 as high and two as moderate.
The patches also addressed a critical file called Broadpwn, which is a remote code execution vulnerability in the Broadcom Wi-Fi driver. In its advisory note, Google credited security researcher Nitay Artenstein of Exodus Intelligence for his work on the patched Broadcom issue. According to eWEEK, Artenstein will provide more insight into this vulnerability at the Black Hat security conference on July 27.
Mitigating the Risk
Google reported that partners were notified of the issues described in the bulletin at least a month ago. Source code patches for these vulnerabilities have been released to the Android Open Source Project (AOSP) repository. The bulletin also included links to patches outside the AOSP.
The firm issued over-the-air updates and firmware images for the Pixel/Pixel XL, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player and Pixel C, according to SC Magazine. Additionally, the advisory note included mitigations, which Google said can help reduce the likelihood of a successful exploitation.
Staying on Top of Threats
According to Gartner, 81.7 percent of the smartphones sold in the last quarter of 2016 ran the Android operating system. Google’s monthly update serves as another warning for IT managers to stay on top of their firm’s mobile security patches and policies. Removing malware can be a tricky task, but smart device management can reduce the need for a reactive approach.