Google Patches Dozens of Critical Qualcomm Components Flaws

[RV_]

If you are running Android Phones or tablets this info may be critical:

 

Excerpt:

 

"Google today patched more than three-dozen critical vulnerabilities in Qualcomm components embedded in the Android operating system, all of them allowing attackers to gain a foothold on devices to launch further attacks.

 

The Qualcomm-related patches are among dozens in the monthly Android Security Bulletin, which marks its first anniversary this week after its maiden voyage a year ago during the Black Hat USA 2015 hacker conference. This year’s Black Hat begins tomorrow in Las Vegas.

 

Most of the Qualcomm components elevation of privileges vulnerabilities patched today are two years old and are part of the Aug. 5 patch level. Google also made available today an Aug. 1 patch level release that patches three critical bugs in Mediaserver.

Google said its Nexus devices were patched in over-the-air updates; its partners were notified of the fixes on July 6 and source code patches will be released to the Android Open Source Project repository within 48 hours.

 

Qualcomm vulnerabilities have been a focus around Android this summer starting with the May disclosure of a vulnerability in the chipmaker’s Secure Execution Environment (QSEE). The flaw affected 60 percent of Android devices before it was patched.

 

The Aug. 5 patch level also fixed a remote code execution vulnerability in the Qualcomm Wi-Fi Driver, also dating back to 2014 (CVE-2014-9902), and another RCE bug in Conscrypt, which is a Java security provider that uses OpenSSL, according to a description on the Conscrypt site.

 

The bulletin also patches six other critical bugs, all of them elevation of privilege flaws, two in the Android kernel networking component, two in the Qualcomm GPU driver and others in the Qualcomm performance component and in the Android kernel.

 

The August patch release is the first respite from critical Mediaserver vulnerabilities in months. Mediaserver is a core Android component and proof-of-concept exploits for last summer’s Stagefright flaws targeted it because of its kernel access."

 

More details in the article here: https://threatpost.com/google-patches-dozens-of-critical-qualcomm-components-flaws/119594/

[Smitty77_7]

I always get a chuckle out of articles like this. (RV/Derek - NOT YOU, or you post itself... As again using the word always, I do always find your posts informative, and cover such a wide spectrum:)!)... Sure, chips can have 'vulnerabilities', and sometimes they're specifically caused by a manufacture. But usually, 95% + of the time the fault is a result of the 'standard's' the chip is manufactured too.

 

Dang if you do, and dang if you don't:)! (And again, chip manufactures do 'blow it' sometimes. And I'm sure Qualcomm has had this happen too...).

 

But, often times pieces like this on the internet - are done to allow:

 

-A competer a leg up

-Drive a price down, for 'opportunistic self driven' buying moves

-Disgruntled employee

-(And again, sometimes due to being a 'SNAFU' by the chip maker...

 

Best to you, and all,

Smitty

[RV_]

Smitty,

No problem bud! I think that they can fix them in firmware from what I read. Adding another motive, to wit, to shame the manufacturers into fixing them before the crisis of confidence from crippled systems at the user end cost much more in man hour losses cumulatively exponentially than is they take the initiative. That makes five and each I give a 20% chance of being correct.

 

Google has the patches, the manufacturers need to deploy them. If Samsung et al take a year they should lose market share. I did a year and a half in limbo with Samsung's Original Galaxy Tab 10 and Tab 7 (8? I forget) we bought in 2010/11, We waited for six months for Ice Cream Sandwich upgrade, and then they delayed another six months, and then another. We got ICS finally but by then Windows tablets were announced for October in 2012. Windows tablets are updated by Microsoft, all at the same time, not by each vendor. Today I am force updating two test systems to the new Windows version to see what is up. They were promised yesterday, but I have my main systems both pro systems deferred. I decided to uncloak my Surface Pro 3 and did my ASUS T200 older system, both Windows 8.1 originally.