Google patched six Critical Remote Code Execution (RCE) holes in the Mediaserver component.
Google’s Android Security Bulletin for May 2017 ended up divided into two patch levels. One is the 2017-05-01 partial security patch level string, which addresses 20 flaws, and the other is 2017-05-05 complete security patch level string, which takes care of 98 issues.
None of the vulnerabilities has undergone exploitation, Google officials said in an advisory.
The six Critical issues in Mediaserver, resolved in the 2017-05-01 patch level string, could enable remote code execution on affected devices through multiple methods, including email, web browsing, and MMS when processing media files. The bugs impact numerous platform versions, including Android 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, and 7.1.2.
The patch level also addresses three high-risk elevation of privilege (EoP) and four denial of service (DoS) vulnerabilities in the Mediaserver component.
The remaining 7 issues include two high risk bugs in Framework APIs (one EoP and one Information disclosure), a high severity EoP in Audioserver, a medium risk EoP in Bluetooth, and three moderate severity Information disclosure vulnerabilities (in File-Based Encryption, Bluetooth, and OpenSSL & BoringSSL).
The 2017-05-05 security patch string resolves 23 critical bugs, 59 high severity flaws, and 16 moderate risks. All of the vulnerabilities addressed in the previous strings are also resolved in this patch level, Google notes.
The 23 Critical bugs included an RCE in GIFLIB, 8 EoPs in MediaTek touchscreen driver, Qualcomm bootloader, kernel sound subsystem, Motorola bootloader, NVIDIA video driver, Qualcomm power driver, kernel trace subsystem, and 14 various vulnerabilities in Qualcomm components.