Google this week announced the contents of the May 2017 Android security patches, revealing that six Critical Remote Code Execution (RCE) flaws were addressed in the Mediaserver component.
Over the past couple of years, Mediaserver emerged as one of the most vulnerable Android components, after a Critical RCE bug dubbed Stagefright was said to affect 950 million devices. Detailed in July 2015, the vulnerability encouraged Google to issue monthly security updates for Android.
A second Stagefright flaw was resolved only months later, and Google addressed numerous other vulnerabilities in Mediaserver over the nearly two years of regular patches. The company even decided to re-architect Mediaserver with the release of Android 7.0 Nougat in August last year, but security researchers continue to find vulnerabilities in the component.
Published on Monday, Google’s Android Security Bulletin for May 2017 was divided into two patch levels: the 2017-05-01 partial security patch level string, which addresses 20 flaws, and the 2017-05-05 complete security patch level string, which addresses 98 issues. None of the vulnerabilities has been exploited or abused in live attacks, Google’s advisory reveals.
The six Critical issues in Mediaserver, resolved in the 2017-05-01 patch level string, could enable remote code execution on affected devices through multiple methods, including email, web browsing, and MMS when processing media files. The bugs impact numerous platform versions, including Android 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, and 7.1.2.
The patch level also addresses three High-risk Elevation of privilege (EoP) and four Denial of service (DoS) (two High, one Moderate, and one Low severity) vulnerabilities in the Mediaserver component.
The remaining 7 issues include two High risk bugs in Framework APIs (one EoP and one Information disclosure), a High severity EoP in Audioserver, a Medium risk EoP in Bluetooth, and three Moderate severity Information disclosure vulnerabilities (in File-Based Encryption, Bluetooth, and OpenSSL & BoringSSL).
The 2017-05-05 security patch string resolves 23 Critical bugs, 59 High severity issues, and 16 Moderate risk flaws. All of the vulnerabilities addressed in the previous strings are also resolved in this patch level, Google notes.
The 23 Critical bugs included an RCE in GIFLIB, 8 EoPs in MediaTek touchscreen driver, Qualcomm bootloader, kernel sound subsystem, Motorola bootloader, NVIDIA video driver, Qualcomm power driver, kernel trace subsystem, and 14 various vulnerabilities in Qualcomm components.
Of the 59 High severity issues, 14 were various bugs in Qualcomm components; one RCE in libxml2; 40 EoPs in MediaTek drivers, Qualcomm drivers, kernel subsystems (performance and networking), Goodix touchscreen driver, and HTC bootloader; 3 Information disclosure flaws in MediaTek command queue driver and Qualcomm Wi-Fi and crypto engine drivers; and one DoS in Qualcomm Wi-Fi driver.
All of the 16 Moderate severity vulnerabilities were Information disclosure bugs, affecting kernel UVC driver and kernel trace subsystem, Qualcomm drivers (video, power, LED, shared memory, sound codec, camera, sound, SPCom), Broadcom Wi-Fi driver, and Synaptics touchscreen driver.
“The most interesting piece of the May Android patches is that Google fixed six issues affecting Mediaserver, all with critical severity indicating the potential for remote code execution. What is not clearly stated is whether the mitigations added into the Android 7.0 release might actually prevent an attacker from exploiting the bugs,” Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team (VERT), told SecurityWeek in an emailed comment.
“With Android 7.0, Google has revamped the Mediaserver component by moving risky parsing code into unprivileged sandboxes and by enabling Undefined Behavior Sanitizer (UBSAN) to prevent exploitation of the most common bug classes found in this component. It would be nice to see Google release more detailed bulletins indicating the impact of various vulnerabilities specifically to the different Android versions.
“It is also good to see that Google’s telemetry through SafetyNet did not reveal any active customer exploitation of any flaws fixed in the May update,” Young concluded.