Google has patched many security vulnerabilities in the latest February 2017 update, taking care of a new round of Stagefright flaws. The new Android patch update was released on February 6 and it fixed 58 different vulnerabilities, with 45 more than Google has patched in February 2016 Android update.
Eight vulnerabilities patched in the February 2017 update were rated as being critical and one of them is CVE-2017-0405, which could allow remote code execution in the Android Surfaceflinger graphics library, giving the attacker the freedom to use a use a “specially crafted file to cause memory corruption during media file and data processing” and Google has rated it as Critical “due to the possibility of remote code execution within the context of the Surfaceflinger process”.
Researchers Scott Bauer and Daniel Micay of Copperhead Security have discovered the Surfaceflinger issue in 2015. In October Micay has reported a another security flaw named Stagefright 2, but the original media server flaw was discovered in July 2015 and in August, Google started releasing monthly patches to fix security vulnerabilities.
There are four stagefright related vulnerabilities that have been patched in the February 2017 update, and two of them, CVE-2017-0406 and CVE-2017-0407, also rated as Critical, were remote code issues in mediaserver. Google has also patched two high severity issues, CVE-2017-0409 (in the libstagefright library) and CVE-2017-0415 (privilege escalation vulnerability in mediaserver). Google has explained that “An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code within the context of the kernel” and “This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.”
Another patched critical privilege escalation flaw is CVE-2014-9914, which is related to the kernel networking subsystem, and which Google has firstly fixed in 2014 in the upstream Linux kernel. Qualcomm had 19 flaws that have been patched in the February 2017 update, of which two were rated as Critical, two had a moderate severity and 15 were rated as high.