Massive double boxset of Android patches lands after Qualcomm disk encryption blown open

snapdragon_820

Google has released two bundles of Android safety patches this month: a smaller one to deal with bugs in the operating machine, and a bigger bundle that tackles a raft of motive force-level troubles, specially with Qualcomm’s hardware.

The primary tranche of patches includes eight essential, eleven high severity, and nine fixes which might be considered moderate. All but one of the important patches are for Android’s soon-to-be redesigned Mediaserver, along with seven excessive-severity fixes and 3 moderates.

Read More Articles :

As ever, human beings have located new ways to corrupt and hijack Mediaserver the usage of booby-trapped video documents and multimedia messages. Establishing a malicious vid could lead to complete far off code execution on Android gadgets from model 4.four.4 as much as the most the latest construct.

The alternative important restoration covers a flaw in OpenSSL and Google’s stripped-down software program fork BoringSSL. These libraries also be afflicted by memory corruption bugs that can be doubtlessly exploited to execute code on prone gadgets.

Different issues of excessive importance in the update include a restoration at the way Android handles Bluetooth communications that would permit an attacker to inject and run code on a close-by tool when appearing a preliminary pairing with a brand new individual. Beneath is the total flaw list.

But wait, there is more

Thus, far, so Google. The patch bundle is in line with Other monthly patching programs from the Chocolate Manufacturing facility. If you have a Google Nexus device, you will get your hands on These fixes quickly enough over the air robotically. If now not, you could properly must wait awhile on your device manufacturer and cell carrier to push Those updates to you – in the event that they ever appear.

Meanwhile, Google is issuing a second string of patches that aren’t happening popular release: they may be driven out to Nexus proprietors and to hardware manufacturers who’re expected to then pass at the updates to their customers.

This 2nd set is a mile large tranche of code, such as 12 critical fixes, fifty-four rated excessive severity, and nine moderates. Google said the second one patch bundle will “offer Android partners with the ability to transport more speedy to restore a subset of vulnerabilities that are comparable throughout all Android gadgets.”

What could this subset of vulnerabilities be? The listing of fixes incorporates some interesting recommendations. Wi-fi week, protection researcher Gal Beniamini discovered a manner to defeat Android’s complete-disk encryption machine the usage of errors in Qualcomm’s KeyMaster cryptography application. The design flaws may be doubtlessly exploited with the aid of a person who has seized your tool to liberate and decrypt your encrypted record gadget with brute pressure.

Google and Qualcomm said the problem changed into fixed in patches issued in January and might, and Mountain View paid Beniamini a bug bounty for his find. However, the researcher pointed out that Different flaws hiding inside Android, specially elevation of privilege insects, may be located and exploited to break the encryption gadget once more.

So it’s interesting that this secondary package consists of fixes for forty flaws with Qualcomm additives – more than half of the overall, and pretty tons all of them are escalation-of-privilege holes. If you had been emitting a hard and fast of fixes to shore up devices towards KeyMaster-primarily based attacks, it would possibly look lots like this one.

The primary crucial patches at the list are for the Qualcomm GPU drivers in Nexus 5X, 6, and 6P, to restoration an elevation of privilege vulnerability that might allow an attacker to “execute arbitrary code within the context of the kernel.” There are some other 36 Qualcomm excessive- and mild-severity flaw fixes covered inside the release.

All Nexus gadgets get a vital patch for an elevation of privilege vulnerability in the Android kernel record system that might have the same impact. Nexus 5 and 7 devices additionally get crucial fixes for security vulnerabilities affecting Qualcomm components inclusive of the bootloader, digicam, man or woman, networking, sound, and video drivers.

There also are six crucial patches for the Android One running device, used by its basic device range. They repair flaws in the MediaTek driving force and Other parts of the provider’s kit that could compromise the kernel and lead to the tool having to be wiped to recover.