Android security bulletin

Google has published this month's Android security bulletin, and the company provided a fix for the KRACK vulnerability that came to light last month.

The Android Security Bulletin for November 2017 is split as three separate packages — 2017-11-01, 2017-11-05, and 2017-11-06. The KRACK fixes are included in the latter — 2017-11-06.

If your phone receives the update and the security patch level is 2017-11-06, the KRACK fixes are also included.

Google last major vendor to patch KRACK bugs

Discovered by Mathy Vanhoef, a researcher from the University of Leuven (KU Leuven), the KRACK vulnerability affects the WPA2 WiFi protocol. It allows attackers to forcibly reinstall connection keys and intercept a user's WPA2-protected WiFi traffic.

Many vendors were notified of the vulnerability in advance, including Google, and most provided fixes and workarounds when Vanhoef went public with his research.

Google is among the last major vendors to deliver KRACK fixes. This is in contrast with Microsoft, which silently deployed KRACK fixes to Windows users without telling anyone, a month before the vulnerability became public.

Apple released KRACK patches at the end of October, as part of iOS 11.1 & macOS High Sierra 10.13.1.

Users can detect devices vulnerable to KRACK attacks with tools and proof-of-concept code Vanhoef released via his GitHub account, or via this third-party-developed toolkit named KRACK Detector.

Other bugs fixed in the November 2017 Android Security Bulletin

Besides the KRACK fixes, Google also patched other security bugs as part of the November 2017 Android Security Bulletin.

These include five remote code execution bugs in the Media framework that allow attackers to take over devices via malformed multimedia files (CVE-2017-0832, CVE-2017-0833, CVE-2017-0834, CVE-2017-0835, CVE-2017-0836).

In addition, the security bulletin also includes fixes for six bugs reported by security researcher Scotty Bauer. The bugs (also remote code execution flaws) affect the Qualcomm WLAN component and are described in more detph in a website Bauer has set up specifically for this purpose, here.

Users who don't receive over-the-air updates from their mobile provider or phone vendor can download updated OS images from the Android project's homepage. Just be aware that flashing the phone and installing the updated OS version is a very complex task, one that often ends up in inexperienced users bricking their phones.

Related Articles:

Google Accidentally Pushed Internal November 2018 Security Update to Pixel User

Google Maps Users are Receiving Notification Spam and No One Knows Why

Google’s Android Apps Are No Longer Free for European Smartphone Makers

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads

Microsoft Replacing Edge With New Chromium-based Browser