Or buy something that doesn’t use a Qualcomm Snapdragon
Another month means another double bundle of security vulnerability patches for Android.
Google is sticking to the twin-release pattern it used last month: the first batch addresses flaws in Android’s system-level software that everyone should install, and the second squashes bugs in hardware drivers and kernel-level code that not everyone needs.

The first patch set closes holes in Android 4.4.4 to the current build. Owners of Nexus gear will get these patches over-the-air very soon; everyone else will have to wait for their gadget makers and cellphone networks to issue them – which might be forever, leaving them forever vulnerable.
These holes include programming blunders in Mediaserver that can be exploited by a specially crafted MMS or an in-browser media file to potentially execute malicious code on a device.

Getting a bad text or visiting an evil webpage could be enough to slip spyware onto your device, provided it is able to defeat ASLR and other defense mechanisms.
Mediaserver has other bugs, including four elevation-of-privileges holes allowing installed apps to gain more control of a device than they should, and code cockups that can crash a handheld.
The remaining patches address information leakages in the Wi-Fi, camera, SurfaceFlinger and Mediaserver code, and OpenSSL, all of which can be abused by installed apps to “access sensitive data without permission.” The full list is here:
Issue
CVE
Severity
Affects Nexus?
Remote code execution vulnerability in Mediaserver
CVE-2016-3819, CVE-2016-3820, CVE-2016-3821
Critical
Yes
Remote code execution vulnerability in libjhead
CVE-2016-3822
High
Yes
Elevation of privilege vulnerability in Mediaserver
CVE-2016-3823, CVE-2016-3824, CVE-2016-3825, CVE-2016-3826
High
Yes
Denial of service vulnerability in Mediaserver
CVE-2016-3827, CVE-2016-3828, CVE-2016-3829, CVE-2016-3830
High
Yes
Denial of service vulnerability in system clock
CVE-2016-3831
High
Yes
Elevation of privilege vulnerability in framework APIs
CVE-2016-3832
Moderate
Yes
Elevation of privilege vulnerability in Shell
CVE-2016-3833
Moderate
Yes
Information disclosure vulnerability in OpenSSL
CVE-2016-2842
Moderate
Yes
Information disclosure vulnerability in camera APIs
CVE-2016-3834
Moderate
Yes
Information disclosure vulnerability in Mediaserver
CVE-2016-3835
Moderate
Yes
Information disclosure vulnerability in SurfaceFlinger
CVE-2016-3836
Moderate
Yes
Information disclosure vulnerability in Wi-Fi
CVE-2016-3837
Moderate
Yes
Denial of service vulnerability in system UI
CVE-2016-3838
Moderate
Yes
Denial of service vulnerability in Bluetooth
CVE-2016-3839
Moderate
Yes
The second patch bundle contains fixes for driver-level code, and whether or not you need each of them depends on your hardware: if you have a chipset that introduces one of these vulnerabilities, you’ll need to install a fix.
Nexus owners will get these automatically as necessary; other phone and tablet manufacturers may roll them out as and when they feel ready.

That could be never in some cases.
The bundle predominantly fixes problems with Qualcomm’s driver software – Qualy being the dominant Android system-on-chip designer, and its Snapdragon SoCs are used pretty much everywhere.

These Qualcomm bugs are definitely ones to watch as these kinds of low-level flaws were used to blow apart Android’s full-disk encryption system last month.
The patches includes fixes for Qualcomm’s bootloader, and Qualcomm drivers for cameras, networking, sound, and video hardware.

A malicious app on a Qualcomm-powered phone or tablet could exploit these to gain kernel-level access – completely hijacking the device, in other words.

An app could use these holes to root a Nexus 5, 5X, 6, 6P and 7 so badly it would need a complete factory reset to undo the damage.
There are other bugs fixed in this batch because they can be exploited by malicious applications on Qualcomm-powered devices to access “sensitive data without explicit user permission.” The full list is below:
Issue
CVE
Severity
Affects Nexus?
Remote code execution vulnerability in Qualcomm Wi‑Fi driver
CVE-2014-9902
Critical
Yes
Remote code execution vulnerability in Conscrypt
CVE-2016-3840
Critical
Yes
Elevation of privilege vulnerability in Qualcomm components
CVE-2014-9863, CVE-2014-9864, CVE-2014-9865, CVE-2014-9866, CVE-2014-9867, CVE-2014-9868, CVE-2014-9869, CVE-2014-9870, CVE-2014-9871, CVE-2014-9872, CVE-2014-9873, CVE-2014-9874, CVE-2014-9875, CVE-2014-9876, CVE-2014-9877, CVE-2014-9878, CVE-2014-9879, CVE-2014-9880, CVE-2014-9881, CVE-2014-9882, CVE-2014-9883, CVE-2014-9884, CVE-2014-9885, CVE-2014-9886, CVE-2014-9887, CVE-2014-9888, CVE-2014-9889, CVE-2014-9890, CVE-2014-9891, CVE-2015-8937, CVE-2015-8938, CVE-2015-8939, CVE-2015-8940, CVE-2015-8941, CVE-2015-8942, CVE-2015-8943
Critical
Yes
Elevation of privilege vulnerability in kernel networking component
CVE-2015-2686, CVE-2016-3841
Critical
Yes
Elevation of privilege vulnerability in Qualcomm GPU driver
CVE-2016-2504, CVE-2016-3842
Critical
Yes
Elevation of privilege vulnerability in Qualcomm performance component
CVE-2016-3843
Critical
Yes
Elevation of privilege vulnerability in kernel
CVE-2016-3857
Critical
Yes
Elevation of privilege vulnerability in kernel memory system
CVE-2015-1593, CVE-2016-3672
High
Yes
Elevation of privilege vulnerability in kernel sound component
CVE-2016-2544, CVE-2016-2546, CVE-2014-9904
High
Yes
Elevation of privilege vulnerability in kernel file system
CVE-2012-6701
High
Yes
Elevation of privilege vulnerability in Mediaserver
CVE-2016-3844
High
Yes
Elevation of privilege vulnerability in kernel video driver
CVE-2016-3845
High
Yes
Elevation of privilege vulnerability in Serial Peripheral Interface driver
CVE-2016-3846
High
Yes
Elevation of privilege vulnerability in NVIDIA media driver
CVE-2016-3847, CVE-2016-3848
High
Yes
Elevation of privilege vulnerability in ION driver
CVE-2016-3849
High
Yes
Elevation of privilege vulnerability in Qualcomm bootloader
CVE-2016-3850
High
Yes
Elevation of privilege vulnerability in kernel performance subsystem
CVE-2016-3843
High
Yes
Elevation of privilege vulnerability in LG Electronics bootloader
CVE-2016-3851
High
Yes
Information disclosure vulnerability in Qualcomm components
CVE-2014-9892, CVE-2014-9893, CVE-2014-9894, CVE-2014-9895, CVE-2014-9896, CVE-2014-9897, CVE-2014-9898, CVE-2014-9899, CVE-2014-9900, CVE-2015-8944
High
Yes
Information disclosure vulnerability in kernel scheduler
CVE-2014-9903
High
Yes
Information disclosure vulnerability in MediaTek Wi-Fi driver
CVE-2016-3852
High
Yes
Information disclosure vulnerability in USB driver
CVE-2016-4482
High
Yes
Denial of service vulnerability in Qualcomm components
CVE-2014-9901
High
Yes
Elevation of privilege vulnerability in Google Play services
CVE-2016-3853
Moderate
Yes
Elevation of privilege vulnerability in Framework APIs
CVE-2016-2497
Moderate
Yes
Information disclosure vulnerability in kernel networking component
CVE-2016-4578
Moderate
Yes
Information disclosure vulnerability in kernel sound component
CVE-2016-4569, CVE-2016-4578
Moderate
Yes
Vulnerabilities in Qualcomm components
CVE-2016-3854, CVE-2016-3855, CVE-2016-3856
High
No
Based on past experience, Nexus users are going to get both sets of patches within the next seven days. Other Android users may have to wait an awful lot longer – during which time, they’ll be potentially vulnerable to attack. ®
PS: Yeah, yeah, BlackBerry’s Priv and DETK50 Androids get patches at the same time as Nexuses. We know.
Sponsored: Global DDoS threat landscape report

Leave a Reply