Google has released its May security updates for Android including a laundry list of critically rated issues along with updates for its Nexus and Pixel smartphones.
The most important update, according to Google, covers a vulnerability that could allow remove code execution through a variety of methods while processing media files using Mediaserver. The six CVEs (CVE-2017-0587, CVE-2017-0588, CVE-2017-0589, CVE-2017-0590, CVE-2017-0591 and CVE-2017-0592) addressing this issue were all reported during the first five months of 2017.
“We have had no reports of active customer exploitation or abuse of these newly reported issues,” Google reported.
However, Craig Young, computer security researcher for Tripwire's Vulnerability and Exposures Research Team, is still curious if the mitigations pushed by Google in the Android 7.0 release will stop an attacker.
“Google does note that the impact is determined based on the assumption that mitigations are disabled or have been successfully bypassed, but this is not as helpful as it could be. It would be nice to see Google release more detailed bulletins indicating the impact of various vulnerabilities specifically to the different Android versions. Until recently, Microsoft provided this level of detail in their bulletins and it was helpful for highlighting the security advantages of keeping up with the latest Windows version and not just the latest patch level,” he said.
Mediaserver also had three vulnerabilities rated high that if left unpatched could lead elevation of privilege enabling a local malicious application to execute arbitrary code within the context of a privileged process.
Other critical-rated vulnerabilities were listed for Google GIFLIB, MediaTek touchscreen driver, kernel sound subsystem and in Qualcomm bootloader.