Android is getting security fixes for more than 100 vulnerabilities, including 29 critical flaws in the media processing server, hardware-specific drivers and other components.
Android’s monthly security bulletin, published Monday, was split into two “patch levels,” which are represented as date strings on the “About” page of Android devices.
The 2017-05-01 security patch level covers fixes for vulnerabilities that are common to all Android devices while the 2017-05-05 level covers additional fixes for hardware drivers and kernel components that are present only in some devices.
This month’s update patches six critical vulnerabilities in Mediaserver, an Android component that handles the processing of image and video files. This component has been a source of many flaws over the past few years, being a regular presence in the monthly Android security bulletins.
The Mediaserver flaws can be exploited by tricking users to download specially crafted media files on their devices, or by sharing such files via email or some other messaging app. It’s not even necessary for the user to open the file because its mere presence on the file system will cause Mediaserver to process it.
By exploiting such flaws, attackers can achieve remote code execution in the context of the Mediaserver process, which has special privileges compared to regular apps. On some devices it can even lead to a complete compromise of all data.
Mediaserver vulnerabilities can theoretically be exploited through multimedia messages (MMS), which is why Google has disabled the automated display of such messages in the default Android text messaging app and Google Hangouts. However, third-party applications might still be exposed to this attack vector.
In addition to the patches for the six critical flaws, the 2017-05-01 patch level also includes fixes for eight high-risk vulnerabilities, five moderate severity flaws and a low severity issue. Some of these vulnerabilities are also located in the Mediaserver component.
Another interesting vulnerability in the Android file-based encryption implementation could have allowed an attacker to bypass the lock screen. If left unpatched, this moderate-risk flaw can allow thieves or law enforcement authorities with physical access to a protected device to extract data from it.
The 2017-05-05 security patch also contains a fix for a remotely exploitable flaw that’s related to media processing. The vulnerability is located in GIFLIB, a library that’s used by the OS for reading and writing GIF format images.
The GIFLIB flaw is rated critical, but its inclusion in the second patch level suggests that it might not affect all devices.
Other critical vulnerabilities covered by this patch level are located in the MediaTek touchscreen driver, the Qualcomm and Motorola bootloaders, the Nvidia video driver, the Qualcomm power driver, the kernel sound and trace subsystems and various other Qualcomm components.
These vulnerabilities can be exploited by a malicious application to execute arbitrary code inside the kernel—the most privileged area of the OS—leading to a complete and permanent compromise of the device. Recovering from such an attack requires reflashing the firmware on the affected device.
Many high and moderate severity vulnerabilities were fixed in other hardware components and kernel subsystems. For some of them, the fixes are only included in the binary files that chipset manufacturers share with device manufacturers and are not publicly available.
In fact, some of flaws included in this bulletin were already covered by patches released by chipset vendors over the past few years. However, Google decided to include them in its own bulletins now in order to associate their fixes with an Android security patch level.
Google only releases firmware updates for its supported Nexus and Pixel devices and then makes the relevant patches available to the Android Open Source Project (AOSP)—the code that serves as a base for the firmware produced by device makers. Users should look for firmware updates for their specific devices from their manufacturers.