What a coincidence
Google has released two bundles of Android security patches this month: a smaller one to handle bugs in the operating system, and a larger package that tackles a raft of driver-level issues, particularly with Qualcomm’s hardware.
The first tranche of patches includes eight critical, 11 high severity, and nine fixes that are considered moderate.

All but one of the critical patches are for Android’s soon-to-be redesigned Mediaserver, along with seven high-severity fixes and three moderates.

As ever, people have found new ways to corrupt and hijack Mediaserver using booby-trapped video files and multimedia messages. Opening a malicious vid could lead to full remote code execution on Android devices from version 4.4.4 up to the most recent build.
The other critical fix covers a flaw in OpenSSL and Google’s stripped-down software fork BoringSSL.

These libraries also suffer from memory corruption bugs that can be potentially exploited to execute code on vulnerable devices.
Other issues of high importance in the update include a fix on the way Android handles Bluetooth communications that would allow an attacker to inject and run code on a nearby device when performing an initial pairing with a new person.

Below is the full flaw list.
Issue
CVE
Severity
Affects Nexus?
Remote code execution vulnerability in Mediaserver
CVE-2016-2506, CVE-2016-2505, CVE-2016-2507, CVE-2016-2508, CVE-2016-3741, CVE-2016-3742, CVE-2016-3743
Critical
Yes
Remote code execution vulnerability in OpenSSL & BoringSSL
CVE-2016-2108
Critical
Yes
Remote code execution vulnerability in Bluetooth
CVE-2016-3744
High
Yes
Elevation of privilege vulnerability in libpng
CVE-2016-3751
High
Yes
Elevation of privilege vulnerability in Mediaserver
CVE-2016-3745, CVE-2016-3746, CVE-2016-3747
High
Yes
Elevation of privilege vulnerability in sockets
CVE-2016-3748
High
Yes
Elevation of privilege vulnerability in LockSettingsService
CVE-2016-3749
High
Yes
Elevation of privilege vulnerability in Framework APIs
CVE-2016-3750
High
Yes
Elevation of privilege vulnerability in ChooserTarget service
CVE-2016-3752
High
Yes
Information disclosure vulnerability in Mediaserver
CVE-2016-3753
High
No*
Information disclosure vulnerability in OpenSSL
CVE-2016-2107
High
No*
Denial of service vulnerability in Mediaserver
CVE-2016-3754, CVE-2016-3755, CVE-2016-3756
High
Yes
Denial of service vulnerability in libc
CVE-2016-3818
High
No*
Elevation of privilege vulnerability in lsof
CVE-2016-3757
Moderate
Yes
Elevation of privilege vulnerability in DexClassLoader
CVE-2016-3758
Moderate
Yes
Elevation of privilege vulnerability in Framework APIs
CVE-2016-3759
Moderate
Yes
Elevation of privilege vulnerability in Bluetooth
CVE-2016-3760
Moderate
Yes
Elevation of privilege vulnerability in NFC
CVE-2016-3761
Moderate
Yes
Elevation of privilege vulnerability in sockets
CVE-2016-3762
Moderate
Yes
Information disclosure vulnerability in Proxy Auto-Config
CVE-2016-3763
Moderate
Yes
Information disclosure vulnerability in Mediaserver
CVE-2016-3764, CVE-2016-3765
Moderate
Yes
Denial of service vulnerability in Mediaserver
CVE-2016-3766
Moderate
Yes
But wait, there’s more
So far, so Google.

The patch bundle is in line with other monthly patching packages from the Chocolate Factory.
If you have a Google Nexus device, you’ll get your hands on these fixes soon enough over the air automatically.
If not, you may well have to wait a while for your device manufacturer and mobile carrier to push these updates to you – if they ever appear.
Meanwhile, Google is issuing a second string of patches that aren’t going on general release: they’ll be pushed out to Nexus owners and to hardware manufacturers who are expected to then pass on the updates to their customers.
This second set is a much larger tranche of code, including 12 critical fixes, 54 rated high severity, and nine moderates.

Google said the second patch bundle will “provide Android partners with the flexibility to move more quickly to fix a subset of vulnerabilities that are similar across all Android devices.”
What could this subset of vulnerabilities be? The list of fixes contains some interesting hints. Last week, security researcher Gal Beniamini found a way to defeat Android’s full-disk encryption system using blunders in Qualcomm’s KeyMaster cryptography program.

The design flaws can be potentially exploited by someone who has seized your device to unlock and decrypt your encrypted file system with brute force.
Google and Qualcomm said the problem was fixed in patches issued in January and May, and Mountain View paid Beniamini a bug bounty for his find.

But the researcher pointed out that other flaws hiding within Android, particularly elevation of privilege bugs, could be found and exploited to break the encryption system again.
So it’s interesting that this secondary bundle includes fixes for 40 flaws with Qualcomm components – more than half of the total, and pretty much all of them are escalation-of-privilege holes.
If you were emitting a set of fixes to shore up devices against KeyMaster-based attacks, it would probably look a lot like this one.
The first two critical patches on the list are for the Qualcomm GPU drivers in Nexus 5X, 6, and 6P, to fix an elevation of privilege vulnerability that would allow an attacker to “execute arbitrary code within the context of the kernel.” There are another 36 Qualcomm high- and moderate-severity flaw fixes included in the release.
All Nexus devices get a critical patch for an elevation of privilege vulnerability in the Android kernel file system that would have the same effect. Nexus 5 and 7 devices also get critical fixes for security vulnerabilities affecting Qualcomm components including the bootloader, camera, character, networking, sound, and video drivers.
There are also six critical patches for the Android One operating system, used by its basic device range.

They fix flaws in the MediaTek Wi-Fi driver and other parts of the supplier’s kit that would compromise the kernel and lead to the device having to be wiped to recover.
The full list is below. ®
Issue
CVE
Severity
Affects Nexus?
Elevation of privilege vulnerability in Qualcomm GPU driver (Device specific)
CVE-2016-2503, CVE-2016-2067
Critical
Yes
Elevation of privilege vulnerability in MediaTek Wi-Fi driver (Device specific)
CVE-2016-3767
Critical
Yes
Elevation of privilege vulnerability in Qualcomm performance component (Device specific)
CVE-2016-3768
Critical
Yes
Elevation of privilege vulnerability in NVIDIA video driver (Device specific)
CVE-2016-3769
Critical
Yes
Elevation of privilege vulnerability in MediaTek drivers (Device specific)
CVE-2016-3770, CVE-2016-3771, CVE-2016-3772, CVE-2016-3773, CVE-2016-3774
Critical
Yes
Elevation of privilege vulnerability in kernel file system (Device specific)
CVE-2016-3775
Critical
Yes
Elevation of privilege vulnerability in USB driver (Device specific)
CVE-2015-8816
Critical
Yes
Elevation of privilege vulnerability in Qualcomm components (Device specific)
CVE-2014-9794, CVE-2014-9795, CVE-2015-8892, CVE-2013-7457, CVE-2014-9781, CVE-2014-9786, CVE-2014-9788, CVE-2014-9779, CVE-2014-9780, CVE-2014-9789, CVE-2014-9793, CVE-2014-9782, CVE-2014-9783, CVE-2014-9785, CVE-2014-9787, CVE-2014-9784, CVE-2014-9777, CVE-2014-9778, CVE-2014-9790, CVE-2014-9792, CVE-2014-9797, CVE-2014-9791, CVE-2014-9796, CVE-2014-9800, CVE-2014-9799, CVE-2014-9801, CVE-2014-9802, CVE-2015-8891, CVE-2015-8888, CVE-2015-8889, CVE-2015-8890
High
Yes
Elevation of privilege vulnerability in Qualcomm USB driver (Device specific)
CVE-2016-2502
High
Yes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver (Device specific)
CVE-2016-3792
High
Yes
Elevation of privilege vulnerability in Qualcomm camera driver (Device specific)
CVE-2016-2501
High
Yes
Elevation of privilege vulnerability in NVIDIA camera driver (Device specific)
CVE-2016-3793, CVE-2016-3794
High
Yes
Elevation of privilege vulnerability in MediaTek power driver (Device specific)
CVE-2016-3795, CVE-2016-3796
High
Yes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver (Device specific)
CVE-2016-3797
High
Yes
Elevation of privilege vulnerability in MediaTek hardware sensor driver (Device specific)
CVE-2016-3798
High
Yes
Elevation of privilege vulnerability in MediaTek video driver (Device specific)
CVE-2016-3799, CVE-2016-3800
High
Yes
Elevation of privilege vulnerability in MediaTek GPS driver (Device specific)
CVE-2016-3801
High
Yes
Elevation of privilege vulnerability in kernel file system (Device specific)
CVE-2016-3802, CVE-2016-3803
High
Yes
Elevation of privilege vulnerability in MediaTek power management driver (Device specific)
CVE-2016-3804, CVE-2016-3805
High
Yes
Elevation of privilege vulnerability in MediaTek display driver (Device specific)
CVE-2016-3806
High
Yes
Elevation of privilege vulnerability in serial peripheral interface driver (Device specific)
CVE-2016-3807, CVE-2016-3808
High
Yes
Elevation of privilege vulnerability in Qualcomm sound driver (Device specific)
CVE-2016-2068
High
Yes
Elevation of privilege vulnerability in kernel (Device specific)
CVE-2014-9803
High
Yes
Information disclosure vulnerability in networking component (Device specific)
CVE-2016-3809
High
Yes
Information disclosure vulnerability in MediaTek Wi-Fi driver (Device specific)
CVE-2016-3810
High
Yes
Elevation of privilege vulnerability in kernel video driver (Device specific)
CVE-2016-3811
Moderate
Yes
Information disclosure vulnerability in MediaTek video codec driver (Device specific)
CVE-2016-3812
Moderate
Yes
Information disclosure vulnerability in Qualcomm USB driver (Device specific)
CVE-2016-3813
Moderate
Yes
Information disclosure vulnerability in NVIDIA camera driver (Device specific)
CVE-2016-3814, CVE-2016-3815
Moderate
Yes
Information disclosure vulnerability in MediaTek display driver (Device specific)
CVE-2016-3816
Moderate
Yes
Information disclosure vulnerability in kernel teletype driver (Device specific)
CVE-2016-0723
Moderate
Yes
Denial of service vulnerability in Qualcomm bootloader (Device specific)
CVE-2014-9798, CVE-2015-8893
Moderate
Yes
Sponsored: Global DDoS threat landscape report

Leave a Reply