It’s the beginning of the month, and that means Google has published its monthly security bulletin for Android devices, detailing all the vulnerabilities it has addressed in this month’s update. Though it’s not a long list of vulnerabilities, almost everything on it is rated High or Critical. (If you want to know what the formal severity ratings like Critical, High and Moderate actually mean take a look at Android’s Security Updates and Resources page.)
The Android bulletin has two patch levels, one for 1 October 2017 and another for 5 October 2017.
The first part of the bulletin notes that the most severe vulnerabilities are related to the Android Media Framework. The bulletin doesn’t detail the potential impact of each vulnerability it lists, though it says the most severe flaw in the Media Framework could allow arbitrary code execution within the “context of a privileged process.”
The Media Framework, loosely put, is what processes images and videos to display them on the screen, and this isn’t the first it’s come up for patching – the July 2017 Android Bulletin also listed a number of Media Framework-related issues.
Some of the other vulnerabilities – again, details are a bit vaguely worded in the bulletin – would have allowed for privilege escalation, opening the door for malicious applications or the dreaded remote code execution. One of the Critical vulnerabilities, CVE-2017-0809, affects Android versions 4.4 all the way to 8.0.
It’s a similar story for the second part of the bulletin (5 October 2017), where everything’s either Critical or High. The few details in the bulletin also hint that these vulnerabilities could have allowed remote code executions if exploited.
New! Pixel and Nexus-specific security bulletins
Owners of the Google Pixel and Nexus devices should note that, as of October 2017, Google will publish a separate security bulletin for those devices, alongside the generic Android monthly update.
This first Pixel/Nexus bulletin contains a number of patch updates that, similar to the overall Android bulletin, largely fix issues within the Media Framework and hardware components. Unlike the overall Android bulletin though, the vast majority of these vulnerabilities are rated as Moderate.
The advice is, as always—for those that can—patch as soon as possible to benefit from these updates. If you’re a Google Pixel and Nexus user, you’re in luck as you should expect to receive all of these security updates within the next two weeks, so be sure to install them right away.
John
Shame that Huawei don’t update their phones regularly. Not getting even quarterly updates let alone monthly- Still on June5th.
Mahhn
Shame on google for blocking updates on android devices without cell service. My old Note3 works fine for what I use it for, although not securely anymore due to not being allowed get updates over wifi, without a phone contract. Reason number 63 to hate the Evil google. (no mhannigan I don’t really have a numbered list)
Paul Ducklin
Really? How do you update Wi-Fi only devices if mobile service is required? Is that a Google limitation or a carrier restriction?
Mahhn
I had called support on it (admittedly it was a year+ ago) and they told me that unless I have phone service (an active SIM) the phone will not update through the menu. I was told it was google by Verizon (prior carrier). I tried a few months ago also, just incase that changed. There are ways to hack it on most, but the one phone that doesn’t root n9000v (if I recall the right #), is the one I have. It’s still a good camera, BT and WiFi device though. still just like new :/
Can't Upgrade
When I go to System, about phone, system updates and click on wireless update, my sophos security app says “this app has been identified as a threat or a potentially unwanted application”, identifying it as Threat Andr/AutoIns-A, so I’m still stuck on Android security patch 5 September 2016. What should I do?
Paul Ducklin
We’re not really placed to answer support questions here – and we’d need a bit more to go on anyway. For example, what version of Android, what carrier, where did the “Wireless update” app come from, are you locked to Google Play or not.
For help with Android malware, I’d recommend heading to our online community (registration required if you want to ask new questions or post answers for others to read) , where you can get support for our free tools:
https://community.sophos.com/
HtH.
Can't Upgrade
thank you, I’ll give it a try there and when I do I’ll be sure to include answers to those questions in my initial query.