In a recent update, Google addressed numerous issues and issued patches for Nexus, Pixel, and Pixel 2 phones. The patches cover a broad range of issues, but arguably the most dangerous of these exploits is CVE-2017-14907. The exploit is the only one in the patch release that is rated critical — and for good reason. Tied to “Qualcomm closed-source components,” CVE-2017-14907 directly affects encryption strength, which is elaborated on by the CVE report as follows:
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, cryptographic strength is reduced while deriving disk encryption key.
When media outlets reached out, Qualcomm refused to comment, according to a post on Kaspersky Lab’s Threatpost.
There are other exploits that, while they only scratch the surface of the massive patch release, are worth discussing in more detail. The first of these is CVE-2017-13167, which allows for privilege escalation thanks to a vulnerability in the kernel sound timer. This particular exploit earns a “high” rating on the severity scale.
CVE-2017-0879 is another patched exploit worth mentioning that ranks “high” in severity. The exploit is an information disclosure vulnerability that occurs in the Android media framework. In addition to the information disclosure issue, the exploit allows for a denial-of-service attack in Android versions 7.0, 7.1.1, 7.1.2, and 8.0.
In many of the vulnerabilities patched there are common threads of numerous threats in the patch release, many of which were mentioned previously. Denial-of-service and privilege escalation are two major continuous threats throughout the roughly 50 exploits that are patched. Patch updates can sometimes be put off by users who don’t want to take the time to download and install them.
Considering the risk of a hacker gaining high-level access due to weak encryption and privilege escalation, I really wouldn’t advise putting off these patches for Nexus, Pixel, and Pixel 2 devices.
Photo credit: Flickr / JD Hancock