Another month, another round of critical vulnerabilities patched by Google

Google has today issued a bundle of 40 security patches for its Android operating system.
A dozen of the fixes correct critical vulnerabilities in versions 4.4.4 of the operating system and above.

About 74 per cent of in-use Android devices run Android 4.4.4 or higher.
These critical bugs can be potentially exploited by miscreants to hijack millions of vulnerable handsets, tablets and other Android gadgets, install malware on the devices, and spy on people.
Opening a malicious video file could lead to remote-code execution.

Apps can infiltrate Qualcomm’s TrustZone kernel, which is supposed to be a secure area away from Android where things like fingerprint readers are controlled.

Drivers by Qualcomm and Nvidia can be exploited by apps to gain extra privileges.
Hackers have to dodge Android’s built-in defenses to succeed, but this is not an impossible task. Never mind that, though, Google has decided to tweak the name of its monthly security patches.
“To reflect a broader focus, we renamed this bulletin (and all following in the series) to the Android Security Bulletin.

These bulletins encompass a broader range of vulnerabilities that may affect Android devices, even if they do not affect Nexus devices,” the Android advisory said.
“We updated the Android Security severity ratings.

These changes were the result of data collected over the last six months on reported security vulnerabilities and aim to align severities more closely with real world impact to users.”
Here’s the full list of bugs blatted by today’s patch bundle:
Issue

CVE

Severity

Affects Nexus?
Remote Code Execution Vulnerability in Mediaserver

CVE-2016-2428
CVE-2016-2429

Critical

Yes
Elevation of Privilege Vulnerability in Debuggerd

CVE-2016-2430

Critical

Yes
Elevation of Privilege Vulnerability in Qualcomm TrustZone

CVE-2016-2431
CVE-2016-2432

Critical

Yes
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver

CVE-2015-0569
CVE-2015-0570

Critical

Yes
Elevation of Privilege Vulnerability in NVIDIA Video Driver

CVE-2016-2434
CVE-2016-2435
CVE-2016-2436
CVE-2016-2437

Critical

Yes
Elevation of Privilege Vulnerability in Kernel

CVE-2015-1805

Critical

Yes
Remote Code Execution Vulnerability in Kernel

CVE-2016-2438

High

Yes
Information Disclosure Vulnerability in Qualcomm Tethering Controller

CVE-2016-2060

High

No
Remote Code Execution in Bluetooth

CVE-2016-2439

High

Yes
Elevation of Privilege in Binder

CVE-2016-2440

High

Yes
Elevation of Privilege Vulnerability in Qualcomm Buspm Driver

CVE-2016-2441
CVE-2016-2442

High

Yes
Elevation of Privilege Vulnerability in Qualcomm MDP Driver

CVE-2016-2443

High

Yes
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver

CVE-2015-0571

High

Yes
Elevation of Privilege Vulnerability in NVIDIA Video Driver

CVE-2016-2444
CVE-2016-2445
CVE-2016-2446

High

Yes
Elevation of Privilege in Wi-Fi

CVE-2016-2447

High

Yes
Elevation of Privilege Vulnerability in Mediaserver

CVE-2016-2448
CVE-2016-2449
CVE-2016-2450
CVE-2016-2451
CVE-2016-2452

High

Yes
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver

CVE-2016-2453

High

Yes
Remote Denial of Service Vulnerability in Qualcomm Hardware Codec

CVE-2016-2454

High

Yes
Elevation of Privilege in Conscrypt

CVE-2016-2461
CVE-2016-2462

Moderate

Yes
Elevation of Privilege Vulnerability in OpenSSL & BoringSSL

CVE-2016-0705

Moderate

Yes
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver

CVE-2016-2456

Moderate

Yes
Elevation of Privilege in Wi-Fi

CVE-2016-2457

Moderate

Yes
Information Disclosure Vulnerability in AOSP Mail

CVE-2016-2458

Moderate

Yes
Information Disclosure Vulnerability in Mediaserver

CVE-2016-2459
CVE-2016-2460

Moderate

Yes
Denial of Service Vulnerability in Kernel

CVE-2016-0774

Low

Yes
It’s clear Android’s media handling capabilities are still requiring frequent updates – partly because new flaws are being found, and video files are a good way to slip malicious code into victims’ devices.
The Android debugger also has a critical flaw that allows remote code execution and would require a complete operating system re-flash to fix.

Thankfully there are no reports of it being exploited in the wild.

Third-party hardware is also getting a lot of patches. Qualcomm gets 10 patches four of them critical, and Nvidia gets the same number for its kit.
Nexus 5, 6, 7 and 9 devices are all covered in this month’s round, as well as Android One budget phones for developing markets: Nexus users will get all of these patches installed automatically over-the-air shortly.
If you don’t have a Nexus device, you’ll have to wait for your carrier and gadget manufacturer to approve the updates and push them out over the air – which make take a while, or not happen at all.
Google’s Play Store app can automatically install some of these patches regardless of whether or not you’re using a Nexus. Unfortunately, some of the serious flaws listed above – in the kernel, Mediaserver and driver-land – cannot be fixed by the Play Store app, and thus you’ll have to wait for the fixes to trundle their way over to you, if you’re lucky.
So, either get a Nexus and automatic updates, or try not to run any dodgy apps or open any video files from people you don’t trust. ®

Sponsored:
Rise of the machines