Android, Linux Vulnerabilities Dominate the US-CERT Bulletin this Week

DHS

The most recent vulnerability summary bulletin by the Department of Homeland Security’s US-CERT (Computer Emergency Readiness Team) highlights a number of ‘high severity’ vulnerabilities on mobile platform Android and open-source operating system Linux.

Every week, the US-CERT provides a summary of new risks and vulnerabilities that plague popular software platforms. These vulnerabilities are recorded by the National Institute of Standards and Technology (NIST) and The National Vulnerability Database (NVD). The NVD is notably sponsored and backed by the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC).

The bulletin ranks vulnerabilities on a three-tier scoring system. They are ‘High’, ‘Medium’ and ‘Low’ vulnerabilities. The high-risk vulnerabilities see a Common Vulnerability Scoring System (CVSS) score of 7.0- 10.0 (the most critical score).

A total of 25 Android vulnerabilities made the high-risk vulnerabilities chart. Three of those were rated critically high at 9.3 each due to the possibility of a permanent device compromise. The only way to redeem the device in such a scenario would be to reflash the ROM/operating system in the Android phone or tablet.

These severe vulnerabilities surfaced in the MediaTek touchscreen and thermal drivers, as well as Qualcomm’s bootloader, both of whom are third-party manufacturers developing solutions for the Android ecosystem.

One of them, tagged CVE-2016-10274, reads as:

An elevation of privilege vulnerability in the MediaTek touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

A number of exploits that allowed remote code execution were also rated at 9.3. Suffice to say, Android topped the charts in being the most vulnerable commercial software platform this week.

The Linux kernel saw two high-severity vulnerabilities rated above 9, one of which would allow a permanent device compromise due to a security hole in the kernel trace subsystem.

The complete bulletin can be found here.

Image credit: Wikimedia.