Google released its set of security fixes for Android on Monday, November 6, 2017, to state thirty-one vulnerabilities, nine of which are faraway code execution issues regarded dangerous severity. The all nine vulnerabilities are associated with the newly discovered KRACK threat.

According to the newly released Android Security news in November 2017 is divided into three security patches. The patch levels occurred on November 1 & 5 comprise fixes for both dangerous and high strictness issues, while the patch level occurred on November 6 fixes only high risk KRACK vulnerabilities. The eleven issues spoken in Android occurred from November 1; security patch level contains six dangerous remote code implementation flaws, three high strictness advancement of privilege bugs, and two high severity evidence revelation vulnerabilities.

The Media framework had been crushed the utmost, with seven issues that were spoken in it, containing five dangerous. The crushed Android versions contained 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, and 8.0. The eleven vulnerabilities were stated with the November 5 security patch level contain three hazardous distant code implementation faults, seven high risk elevation of privilege bugs, and one high strictness information report. Qualcomm elements were crushed the maximum, with seven issues reported.

In a widespread post, Linux developer Scott Bauer clarifies that the faraway code implementation vulnerabilities are situated in the qcacld Qualcomm/Atheros Wi-Fi driver that sends in the Pixel and Nexus 5X devices.

The researcher says he reported 8 such bugs to Google several months ago, and that the company is slowly patching them (some issues were addressed in previous monthly updates). Due to the severity of the bugs, the researcher found he was eligible for around $22,000 in bug bounty rewards.

He explains that one of the bugs (CVE-2017-11013) can be used to target different types of memory. “This bug would be an excellent target for a true proximal kernel remote code execution, because you have controlled data, and you have a variety of locations you can overflow into,” the researcher notes.

The researcher presents methodical facts on two further issues reported in November as well, i.e. CVE-2017-11014 and CVE-2017-11015. They both heap overspill vulnerabilities, along with on three additional flaws. The two of the described bugs not yet been fixed.

All nine vulnerabilities spoken during November 6 security patch level are associated with the KRACK threat exposed previous month. Short for Important Reinstallation Threat, KRACK is a threat technique using bugs in the WPA2 protocol that safeguards advanced Wi-Fi networks. The practice permits an attacker to access data supposed to be encoded and even inject or operating data. Vendors started pronouncing fixes for these bugs instantly after the threat went public along with industrial products also susceptible to KRACK threats. Apple spoke the faults in various products with the announcement of security updates the previous week.

Google initiated revealing a distinct security news for Nexus and Pixel devices starting in October 2017 to report simply vulnerabilities exact to these devices. Google spoke frequently about the elevation of privilege issues this month, but also settled entire information released bugs, faraway code implementation vulnerabilities, and rejection of service failures.

The update also contains patches for a sequence of operation issues for groups as well as the security fixes likely Audio, Bluetooth, Camera, Mobile data, and Application stability.

Leave a Reply

Your email address will not be published. Required fields are marked *