Google has detailed but not yet released the September patch that brings fixes for Android, the Linux kernel, and components from Broadcom, Qualcomm, and MediaTek.
The most severe issue fixed in the September Android update comes from Android’s troublesome media framework. It had 24 vulnerabilities, of which 10 are critical. Android 8.0 Oreo is affected by 11 these flaws.
The worst one “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process”, according to Google‘s September 2017 Android Security Bulletin.
Besides laying a foundation for faster version updates, Google’s Project Treble also aims to make it hard to exploit devices by using flaws in Android’s media framework.
Google notes that it has not received any reports that the bugs are being actively exploited.
As usual these days, it has released two patch levels: one with a partial set of fixes for Android, and another for the complete patch level that includes patches for hardware drivers and the kernel.
Devices that have been updated with the partial patch will have the 2017-09-01 patch string, while the complete patch string is 2017-09-05.
Google’s own Pixel and Nexus devices should soon be updated with the complete patch, which will arrive as part of the upgrade to Android Oreo. This patch applies to the Pixel, Pixel XL, Pixel C, Nexus Player, Nexus 5X, and Nexus 6P.
As noted by 9to5Google, the company hasn’t released September’s update to Pixel and Nexus devices yet, while HMD Global has reportedly pushed the September security update to the Nokia 5. HMD also beat Google to the July patch.
The complete patch level addresses several bugs affecting Broadcom’s Wi-Fi driver.
Reminiscent of the recent Broadpwn bug that affected Wi-Fi chips in Android and iOS devices, the worst of these could allow an attack in Wi-Fi range to execute arbitrary code usage a specially crafted file.
It also contains fixes for the Linux kernel, several MediaTek drivers, as well as for Qualcomm libraries and drivers.
Previous and related coverage
Google is trying to get to the bottom of a Bluetooth connectivity bug affecting Pixel and Nexus owners.
Google has hardened Android’s Linux-based kernel.