Google has quietly pushed out it’s July update for Android and 11 of the patches that come in the update are rated as ‘Critical’ – meaning they allow remote code execution and/or privilege escalation. What does that mean? They were bugs which would allow someone to take over your phone!
The most critical patch may be for an exploit known as ‘Broadpwn’ – or CVE-2017-9417.
CVE-2017-9417 or Broadpwn is a remote code execution vulnerability in the Broadcom WiFi driver. Two other Broadcom WiFi driver issues (CVE-2017-0705 and CVE-2017-0706) were also given a “critical” rating as they potentially could have enabled privilege escalation attacks.
“The most severe vulnerability in this section could enable a proximate attacker to execute arb:xitrary code within the context of the kernel,” Google warns in its advisory. In layman’s terms – someone who is nearby could take over your phone, without even being able to touch it!
This isn’t the first time Google has patched in Android remote code execution issues in Broadcom WiFi drivers. In April, the mobile operating system was patched for the critical CVE-2017-0561 vulnerability. Apple also makes use of Broadcom’s WiFi technologies and released its iOS 10.3.1 update in April to patch the same exploit.
Google gives credit for the discovery of the newly patched CVE-2017-9417 to security researcher Nitay Artenstein of Exodus Intelligence. Artenstein is scheduled to deliver a talk at the Black Hat security conference on July 27 that will provide more insight into these Broadcom vulnerabilities.