On this Tuesday, Google released their first Android Security Bulletin for 2017. In this, they mentioned that Google patched a total of 95 vulnerabilities in the operating system, 22 of those are rated critical. About 50 of these bugs are addressed as Elevation of privilege flaws.
Since the process has been going over the past several months, the security bulletin of January is split in two. This makes it easy for the manufacturers to sort out the patches: while the 2017-01-05 security patch level addressed 72 bugs affecting drivers and other ODM software, the 2017-01-01 security patch level resolved 23 issues which affect various Android components.
Among these 22 vulnerabilities mentioned above with a Critical severity rating, a Remote code execution flaw was resolved in Mediaserver. This is one of the Android components that are most impacted. From the time Google kicked off the monthly patch program in 2015 summer, several Critical issues are found in Mediaserver. The list starts with the ever so popular Stagefright, and followed by a second Stagefright vulnerability a few months later.
The remaining 21 Critical flaws patched this month include Elevation of privilege issues affecting the kernel memory subsystem, Qualcomm bootloader, kernel file system, NVIDIA GPU driver, MediaTek driver, Qualcomm GPU driver, and Qualcomm video driver. Three other Critical vulnerabilities were patched in various Qualcomm components, Google’s advisory reveals.
While only one of the 23 vulnerabilities addressed in the 2017-01-01 security patch level was rated Critical, 14 of them were rated High severity. These included Remote code execution bugs in c-ares and Framesequence; Elevation of privilege vulnerabilities in Audioserver, Framework APIs, libnl, and Mediaserver; an Information disclosure vulnerability in External Storage Provider; and Denial of service flaws in Mediaserver, core networking, and Telephony.
Eight of the bugs resolved by this security patch level were Medium risk: an Elevation of privilege vulnerability in Contacts, two Information disclosure vulnerabilities in Mediaserver, and five Information disclosure issues in Audioserver.