|
|
登入後,內容更豐富
您需要 登錄 才可以下載或查看,沒有賬號?註冊
×
Android Security Bulletin—July 2017 security update安全更新, 高严重程度
https://source.android.com/security/bulletin/2017-07-01
Published July 5, 2017 | Updated July 6, 2017
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of July 05, 2017 or later address all of these issues. Refer to the Pixel and Nexus update schedule to learn how to check a device's security patch level.
Partners were notified of the issues described in the bulletin at least a month ago. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.
The most severe of these issues is a critical security vulnerability in media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.
We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.
We encourage all customers to accept these updates to their devices.
Announcements
This bulletin has two security patch level strings to provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices. See Common questions and answers for additional information:
2017-07-01: Partial security patch level string. This security patch level string indicates that all issues associated with 2017-07-01 (and all previous security patch level strings) are addressed.
2017-07-05: Complete security patch level string. This security patch level string indicates that all issues associated with 2017-07-01 and 2017-07-05 (and all previous security patch level strings) are addressed.
Android and Google Play Protect mitigations
This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.
Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.
2017-07-01 security patch level—Vulnerability details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2017-07-01 patch level. Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.
Runtime
The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process.
CVE References Type Severity Updated AOSP versions
CVE-2017-3544 A-35784677 RCE Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
Framework
The most severe vulnerability in this section could enable a local malicious application using a specially crafted file to execute arbitrary code within the context of an application that uses the library.
CVE References Type Severity Updated AOSP versions
CVE-2017-0664 A-36491278 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0665 A-36991414 EoP High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0666 A-37285689 EoP High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0667 A-37478824 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0668 A-22011579 ID Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0669 A-34114752 ID High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0670 A-36104177 DoS High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
Libraries
The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an application that uses the library.
CVE References Type Severity Updated AOSP versions
CVE-2017-0671 A-34514762* RCE High 4.4.4
CVE-2016-2109 A-35443725 DoS High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0672 A-34778578 DoS High 7.0, 7.1.1, 7.1.2
Media framework
The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2017-0540 A-33966031 RCE Critical 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0673 A-33974623 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0674 A-34231163 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0675 A-34779227 [2] RCE Critical 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0676 A-34896431 RCE Critical 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0677 A-36035074 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0678 A-36576151 RCE Critical 7.0, 7.1.1, 7.1.2
CVE-2017-0679 A-36996978 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0680 A-37008096 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0681 A-37208566 RCE Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0682 A-36588422* RCE High 7.0, 7.1.1, 7.1.2
CVE-2017-0683 A-36591008* RCE High 7.0, 7.1.1, 7.1.2
CVE-2017-0684 A-35421151 EoP High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0685 A-34203195 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0686 A-34231231 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0688 A-35584425 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0689 A-36215950 DoS High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0690 A-36592202 DoS High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0691 A-36724453 DoS High 7.0, 7.1.1, 7.1.2
CVE-2017-0692 A-36725407 DoS High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0693 A-36993291 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0694 A-37093318 DoS High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0695 A-37094889 DoS High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0696 A-37207120 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0697 A-37239013 DoS High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0698 A-35467458 ID Moderate 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0699 A-36490809 ID Moderate 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
System UI
The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2017-0700 A-35639138 RCE High 7.1.1, 7.1.2
CVE-2017-0701 A-36385715 [2] RCE High 7.1.1, 7.1.2
CVE-2017-0702 A-36621442 RCE High 7.1.1, 7.1.2
CVE-2017-0703 A-33123882 EoP High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0704 A-33059280 EoP Moderate 7.1.1, 7.1.2
|
|
在線雷達
發表於 2017-7-26 00:28:53
廣播
置頂
推舊帖
收嗲鳥
油顏色
感謝發文…
發表於 2017-7-26 06:31:30
