Google releases April 2017 Android Security Bulletin and Google Device Images

Rapid John
Posted on April 05, 2017, 3:08 pm
10 mins

Google has released the April 2017 Android Security Bulletin. Partners have had access to the warnings in this month’s bulletin since March 06, 2017 or earlier.

The April bulletin has two security patch levels to provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices.

  • 2017-04-01: Partial security patch level string. This security patch level string indicates that all issues associated with 2017-04-01 (and all previous security patch level strings) are addressed.
  • 2017-04-05: Complete security patch level string. This security patch level string indicates that all issues associated with 2017-04-01 and 2017-04-05 (and all previous security patch level strings) are addressed.

Supported Google devices will receive a single OTA update with the April 05, 2017 security patch level

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.

iPhone X Google releases April 2017 Android Security Bulletin and Google Device Images

Alongside the bulletin, Google have released a security update to Google devices through an over-the-air (OTA) update. The Google device firmware images have also been released to the Google Developer site. Security patch levels of April 05, 2017 or later address all of these issues.

The tables below contains a list of security vulnerabilities, the Common Vulnerability and Exposures ID (CVE), the assessed severity, and whether or not Google devices are affected. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.

Security patch levels of 2017-04-01 or later must address the following issues.
[table style=”table-striped”]

Issue CVE Severity Affects Google devices?
Remote code execution vulnerability in Mediaserver CVE-2017-0538, CVE-2017-0539, CVE-2017-0540, CVE-2017-0541, CVE-2017-0542, CVE-2017-0543 Critical Yes
Elevation of privilege vulnerability in CameraBase CVE-2017-0544 High Yes
Elevation of privilege vulnerability in Audioserver CVE-2017-0545 High Yes
Elevation of privilege vulnerability in SurfaceFlinger CVE-2017-0546 High Yes
Information disclosure vulnerability in Mediaserver CVE-2017-0547 High Yes
Denial of service vulnerability in libskia CVE-2017-0548 High Yes
Denial of service vulnerability in Mediaserver CVE-2017-0549, CVE-2017-0550, CVE-2017-0551, CVE-2017-0552 High Yes
Elevation of privilege vulnerability in libnl CVE-2017-0553 Moderate Yes
Elevation of privilege vulnerability in Telephony CVE-2017-0554 Moderate Yes
Information disclosure vulnerability in Mediaserver CVE-2017-0555, CVE-2017-0556, CVE-2017-0557, CVE-2017-0558 Moderate Yes
Information disclosure vulnerability in libskia CVE-2017-0559 Moderate Yes
Information disclosure vulnerability in Factory Reset CVE-2017-0560 Moderate Yes

[/table]

Security patch levels of 2017-04-05 or later must address all of the 2017-01-01 issues, as well as the following issues.
[table style=”table-striped”]

Issue CVE Severity Affects Google devices?
Remote code execution vulnerability in Broadcom Wi-Fi firmware CVE-2017-0561 Critical Yes
Remote code execution vulnerability in Qualcomm crypto engine driver CVE-2016-10230 Critical Yes
Remote code execution vulnerability in kernel networking subsystem CVE-2016-10229 Critical Yes
Elevation of privilege vulnerability in MediaTek touchscreen driver CVE-2017-0562 Critical No*
Elevation of privilege vulnerability in HTC touchscreen driver CVE-2017-0563 Critical Yes
Elevation of privilege vulnerability in kernel ION subsystem CVE-2017-0564 Critical Yes
Vulnerabilities in Qualcomm components CVE-2016-10237, CVE-2016-10238, CVE-2016-10239 Critical Yes
Remote code execution vulnerability in v8 CVE-2016-5129 High Yes
Remote code execution vulnerability in Freetype CVE-2016-10244 High Yes
Elevation of privilege vulnerability in kernel sound subsystem CVE-2014-4656 High Yes
Elevation of privilege vulnerability in NVIDIA crypto driver CVE-2017-0339, CVE-2017-0332, CVE-2017-0327 High Yes
Elevation of privilege vulnerability in MediaTek thermal driver CVE-2017-0565 High No*
Elevation of privilege vulnerability in MediaTek camera driver CVE-2017-0566 High No*
Elevation of privilege vulnerability in Broadcom Wi-Fi driver CVE-2017-0567, CVE-2017-0568, CVE-2017-0569, CVE-2017-0570, CVE-2017-0571, CVE-2017-0572, CVE-2017-0573, CVE-2017-0574 High Yes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver CVE-2017-0575 High Yes
Elevation of privilege vulnerability in NVIDIA I2C HID driver CVE-2017-0325 High Yes
Elevation of privilege vulnerability in Qualcomm audio driver CVE-2017-0454 High Yes
Elevation of privilege vulnerability in Qualcomm crypto engine driver CVE-2017-0576 High Yes
Elevation of privilege vulnerability in HTC touchscreen driver CVE-2017-0577 High No*
Elevation of privilege vulnerability in DTS sound driver CVE-2017-0578 High No*
Elevation of privilege vulnerability in Qualcomm sound codec driver CVE-2016-10231 High Yes
Elevation of privilege vulnerability in Qualcomm video driver CVE-2017-0579, CVE-2016-10232, CVE-2016-10233 High Yes
Elevation of privilege vulnerability in NVIDIA boot and power management processor driver CVE-2017-0329 High Yes
Elevation of privilege vulnerability in Synaptics touchscreen driver CVE-2017-0580, CVE-2017-0581 High No*
Elevation of privilege vulnerability in Qualcomm Seemp driver CVE-2017-0462 High Yes
Elevation of privilege vulnerability in Qualcomm Kyro L2 driver CVE-2017-6423 High Yes
Elevation of privilege vulnerability in kernel file system CVE-2014-9922 High Yes
Information disclosure vulnerability in kernel memory subsystem CVE-2014-0206 High Yes
Information disclosure vulnerability in kernel networking subsystem CVE-2014-3145 High Yes
Information disclosure vulnerability in Qualcomm TrustZone CVE-2016-5349 High Yes
Information disclosure vulnerability in Qualcomm IPA driver CVE-2016-10234 High Yes
Denial of service vulnerability in kernel networking subsystem CVE-2014-2706 High Yes
Denial of service vulnerability in Qualcomm Wi-Fi driver CVE-2016-10235 High No*
Elevation of privilege vulnerability in kernel file system CVE-2016-7097 Moderate Yes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver CVE-2017-6424 Moderate Yes
Elevation of privilege vulnerability in Broadcom Wi-Fi driver CVE-2016-8465 Moderate Yes
Elevation of privilege vulnerability in HTC OEM fastboot command CVE-2017-0582 Moderate Yes
Elevation of privilege vulnerability in Qualcomm CP access driver CVE-2017-0583 Moderate Yes
Information disclosure vulnerability in kernel media driver CVE-2014-1739 Moderate Yes
Information disclosure vulnerability in Qualcomm Wi-Fi driver CVE-2017-0584 Moderate Yes
Information disclosure vulnerability in Broadcom Wi-Fi driver CVE-2017-0585 Moderate Yes
Information disclosure vulnerability in Qualcomm Avtimer driver CVE-2016-5346 Moderate Yes
Information disclosure vulnerability in Qualcomm video driver CVE-2017-6425 Moderate Yes
Information disclosure vulnerability in Qualcomm USB driver CVE-2016-10236 Moderate Yes
Information disclosure vulnerability in Qualcomm sound driver CVE-2017-0586 Moderate Yes
Information disclosure vulnerability in Qualcomm SPMI driver CVE-2017-6426 Moderate Yes
Information disclosure vulnerability in NVIDIA crypto driver CVE-2017-0328, CVE-2017-0330 Moderate No*
Vulnerabilities in Qualcomm components** CVE-2014-9931, CVE-2014-9932, CVE-2014-9933, CVE-2014-9934, CVE-2014-9935, CVE-2014-9936, CVE-2014-9937, CVE-2015-8995, CVE-2015-8996, CVE-2015-8997, CVE-2015-8998, CVE-2015-8999, CVE-2015-9000, CVE-2015-9001, CVE-2015-9002, CVE-2015-9003, CVE-2016-8489 Critical No*

[/table]

Android and Google Service Mitigations

This is a summary of the mitigations provided by the Android security platform and service protections, such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.
  • As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as Mediaserver.

Full details of the April 2017 Android Security Bulletin is available here.

Rapid John
Rapid John has a quarter of a century in programming for Government and Corporate bodies and is proficient in most major programming languages.  He is constantly running around showing us his latest bit of code and telling us how fantastic it is. (John we know). He is responsible for carrying out presentations to corporate and business customers and is a BlackBerry Elite.

Leave a Reply

You must be logged in to post a comment.