Massive double boxset of Android patches lands after Qualcomm disk encryption blown open

This month, Google has released two bundles of Android safety patches: a smaller one to deal with bugs in the operating machine and a more extensive pile that tackles a raft of motive force-level troubles, especially with Qualcomm’s hardware.

The primary tranche of patches includes eight essential, eleven high severity, and nine fixes which might be considered moderate. All but one of the critical patches are for Android’s soon-to-be redesigned Mediaserver, along with seven excessive-severity holes and 3 moderates.


Read More Articles :

As ever, human beings have located new ways to corrupt and hijack Mediaserver through the usage of booby-trapped video documents and multimedia messages. Establishing a malicious vid could lead to complete far-off code execution on Android gadgets from model 4. 4 as much as the most latent construct.

The essential alternative restoration covers a flaw in OpenSSL and Google’s stripped-down software program fork BoringSSL. These libraries also are afflicted by memory corruption bugs that can be doubtlessly exploited to execute code on prone gadgets.

Different issues of excessive importance in the update include restoring the way Android handles Bluetooth communications that would permit an attacker to inject and run code on a close-by tool when appearing an initial pairing with a brand new individual. Beneath is the total flaw list.

But wait, there is more.

Thus, far, so Google. The patch bundle is in line with Other monthly patching programs from the Chocolate Manufacturing facility. If you have a Google Nexus device, you will get your hands on These fixes quickly enough over the air robotically. If now not, you could adequately wait a while on your device manufacturer and cell carrier to push Those updates to you – if they ever appear.

Meanwhile, Google is issuing a second string of patches that aren’t happening popular release: they may be driven out to Nexus proprietors and hardware manufacturers who’re expected to pass at the updates to their customers.

This 2nd set is a mile large tranche of code, including 12 critical fixes, fifty-four rated excessive severity, and nine moderates. Google said the second patch bundle will “offer Android partners with the ability to transport more speedy to restore a subset of vulnerabilities that are comparable throughout all Android gadgets.”

What could this subset of vulnerabilities be? The listing of fixes incorporates some exciting recommendations. Wi-fi week, protection researcher Gal Beniamini discovered a manner to defeat Android’s complete-disk encryption machine by using errors in Qualcomm’s KeyMaster cryptography application. The design flaws may be doubtlessly exploited with the aid of a person who has seized your tool to liberate and decrypt your encrypted record gadget with brute pressure.

Google and Qualcomm said the problem changed into fixed in patches issued in January and might, and Mountain View paid Beniamini a bug bounty for his find. However, the researcher pointed out that Different flaws hiding inside Android, especially the elevation of privileged insects, may be located and exploited to break the encryption gadget once more.

So it’s interesting that this secondary package consists of fixes for forty flaws with Qualcomm additives – more than half of the overall, and pretty tons, all of them are escalation-of-privilege holes. If you had been emitting a hard and fast of fixes to shore up devices towards KeyMaster-primarily based attacks, it would possibly look lots like this one.

The primary crucial patches on the list are for the Qualcomm GPU drivers in Nexus 5X, 6, and 6P to restoration an elevation of privilege vulnerability that might allow an attacker to “execute arbitrary code within the context of the kernel.” There are some other 36 Qualcomm excessive- and mild-severity flaw fixes covered inside the release.

All Nexus gadgets get a vital patch for an elevation of privilege vulnerability in the Android kernel record system that might have the same impact. Nexus 5 and 7 devices also get crucial fixes for security vulnerabilities affecting Qualcomm components, including bootloader, digicam, man or woman, networking, sound, and video drivers.

There also are six crucial patches for the Android One running device, used by its basic device range. They repair flaws in the MediaTek driving force and Other parts of the provider’s kit that could compromise the kernel and lead to the tool being wiped to recover.