The new January security update just hit Android, and the new patch is going to fix a lot of bugs and other vulnerabilities that Android has been dealing with. There are quite a few Android components that have been plagued with issues over the past few months, and some of these vulnerabilities have been classified as serious.
January Android Update Arrives
There are quite a few vulnerabilities that are now going to be fixed thanks to the January Android security update. Overall, 95 vulnerabilities are going to be fixed in the month of January during two different updates. The first update is labeled as January 1, and it will fix 23 bugs. Meanwhile, with the January 5 update, there will be 72 different vulnerabilities that will be fixed with the patch. There are 10 critical vulnerabilities that are going to be addressed, and a couple of these vulnerabilities have been labeled critical.
When you look at the Android Security Bulletin, it has the Mediaserver vulnerability listed as the most critical and serious bug. This will be fixed along with the Qualcomm driver and NVIDIA’s GPU driver. When it comes to the Mediaserver vulnerability, it was said that there could be remote code execution done through various methods like web browsing, MMS, and email.
This, of course, would be pretty bad news and could lead to an Android device to become hacked or taken over by a nefarious group or person. The code for this security vulnerability is CVE-2017-0381. This Mediaserver vulnerability is known as Stagefright, and it has been something that has been patched over 30 times already.
There are other things with the Mediaserver components that are vulnerable as well, and Google also identified a denial of service vulnerability too. That denial of service vulnerability is high-risk, and so is the other vulnerability Google found, which is called the elevation of privilege vulnerability. Since both of these are high-risk, Google wanted to get a fix out there as soon as possible, which is what will be in the January Android Security update.
Android Nexus devices are the devices that get these monthly security updates, which come through as over-the-air updates. There will be one over-the-air update for other supported devices on January 5, 2017. Google is also going to get LG and Samsung updates for the Android devices from those manufacturers in the coming weeks. Samsung said in a bulletin that sometimes the security patches are delayed for some models and regions, but that the patches will be sent to all applicable models as soon as possible.
Google came out to say there has been no exploitation of the vulnerabilities so far, which is good news for Android users. Out of all of the vulnerabilities, 29 were critical and 26 were considered to be of a moderate risk. 41 of the vulnerabilities were considered to be high-risk, which is quite a few in the high-risk category. That is why Google wanted to get this update out as soon as possible because so many of the vulnerabilities were serious high-risk ones as opposed to many small risk vulnerabilities.
Google also went on to thank the companies and people who helped them find and fix these vulnerabilities so easily and quickly. Trend Micro was one company that really helped Google and specifically researcher Peter Pi. The Mobile Threat Research Team was invaluable to Google during this time of finding and reporting the vulnerabilities.
There were about 40 people and groups or companies that Google thanked in the January Android Security Update Bulletin. The Mobile Threat Research Team is the group that found the Mediaserver vulnerability, which is considered to have the highest-risk associated with it on Android devices. This team also found 7 other major critical vulnerabilities.
Another group, the C0RE Team, were also responsible for finding the bug that was tied to the elevation of privilege vulnerability, which comes from the NVIDIA GPU driver. That was also a vulnerability that Google wanted to fix as soon as possible.
Samsung has also been notifying the Samsung Android customer base because 28-Samsung specific vulnerabilities have been found, and those updates for Samsung will be coming out shortly too. LG and Samsung both are working together with Google to bring these security updates to all affected and applicable Android devices, although some older devices might not see the over-the-air updates for a few more weeks.