This article is more than 1 year old
3-in-4 Android phones, slabs, gizmos menaced by fresh hijack flaws
Another month, another round of critical vulnerabilities patched by Google
Google has today issued a bundle of 40 security patches for its Android operating system.
A dozen of the fixes correct critical vulnerabilities in versions 4.4.4 of the operating system and above. About 74 per cent of in-use Android devices run Android 4.4.4 or higher.
These critical bugs can be potentially exploited by miscreants to hijack millions of vulnerable handsets, tablets and other Android gadgets, install malware on the devices, and spy on people.
Opening a malicious video file could lead to remote-code execution. Apps can infiltrate Qualcomm's TrustZone kernel, which is supposed to be a secure area away from Android where things like fingerprint readers are controlled. Drivers by Qualcomm and Nvidia can be exploited by apps to gain extra privileges.
Hackers have to dodge Android's built-in defenses to succeed, but this is not an impossible task. Never mind that, though, Google has decided to tweak the name of its monthly security patches.
"To reflect a broader focus, we renamed this bulletin (and all following in the series) to the Android Security Bulletin. These bulletins encompass a broader range of vulnerabilities that may affect Android devices, even if they do not affect Nexus devices," the Android advisory said.
"We updated the Android Security severity ratings. These changes were the result of data collected over the last six months on reported security vulnerabilities and aim to align severities more closely with real world impact to users."
Here's the full list of bugs blatted by today's patch bundle:
Issue | CVE | Severity | Affects Nexus? |
---|---|---|---|
Remote Code Execution Vulnerability in Mediaserver | CVE-2016-2428
CVE-2016-2429 |
Critical | Yes |
Elevation of Privilege Vulnerability in Debuggerd | CVE-2016-2430 | Critical | Yes |
Elevation of Privilege Vulnerability in Qualcomm TrustZone | CVE-2016-2431
CVE-2016-2432 |
Critical | Yes |
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver | CVE-2015-0569
CVE-2015-0570 |
Critical | Yes |
Elevation of Privilege Vulnerability in NVIDIA Video Driver | CVE-2016-2434
CVE-2016-2435 CVE-2016-2436 CVE-2016-2437 |
Critical | Yes |
Elevation of Privilege Vulnerability in Kernel | CVE-2015-1805 | Critical | Yes |
Remote Code Execution Vulnerability in Kernel | CVE-2016-2438 | High | Yes |
Information Disclosure Vulnerability in Qualcomm Tethering Controller | CVE-2016-2060 | High | No |
Remote Code Execution in Bluetooth | CVE-2016-2439 | High | Yes |
Elevation of Privilege in Binder | CVE-2016-2440 | High | Yes |
Elevation of Privilege Vulnerability in Qualcomm Buspm Driver | CVE-2016-2441
CVE-2016-2442 |
High | Yes |
Elevation of Privilege Vulnerability in Qualcomm MDP Driver | CVE-2016-2443 | High | Yes |
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver | CVE-2015-0571 | High | Yes |
Elevation of Privilege Vulnerability in NVIDIA Video Driver | CVE-2016-2444
CVE-2016-2445 CVE-2016-2446 |
High | Yes |
Elevation of Privilege in Wi-Fi | CVE-2016-2447 | High | Yes |
Elevation of Privilege Vulnerability in Mediaserver | CVE-2016-2448
CVE-2016-2449 CVE-2016-2450 CVE-2016-2451 CVE-2016-2452 |
High | Yes |
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver | CVE-2016-2453 | High | Yes |
Remote Denial of Service Vulnerability in Qualcomm Hardware Codec | CVE-2016-2454 | High | Yes |
Elevation of Privilege in Conscrypt | CVE-2016-2461
CVE-2016-2462 |
Moderate | Yes |
Elevation of Privilege Vulnerability in OpenSSL & BoringSSL | CVE-2016-0705 | Moderate | Yes |
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver | CVE-2016-2456 | Moderate | Yes |
Elevation of Privilege in Wi-Fi | CVE-2016-2457 | Moderate | Yes |
Information Disclosure Vulnerability in AOSP Mail | CVE-2016-2458 | Moderate | Yes |
Information Disclosure Vulnerability in Mediaserver | CVE-2016-2459
CVE-2016-2460 |
Moderate | Yes |
Denial of Service Vulnerability in Kernel | CVE-2016-0774 | Low | Yes |
It's clear Android's media handling capabilities are still requiring frequent updates – partly because new flaws are being found, and video files are a good way to slip malicious code into victims' devices.
The Android debugger also has a critical flaw that allows remote code execution and would require a complete operating system re-flash to fix. Thankfully there are no reports of it being exploited in the wild. Third-party hardware is also getting a lot of patches. Qualcomm gets 10 patches four of them critical, and Nvidia gets the same number for its kit.
Nexus 5, 6, 7 and 9 devices are all covered in this month's round, as well as Android One budget phones for developing markets: Nexus users will get all of these patches installed automatically over-the-air shortly.
If you don't have a Nexus device, you'll have to wait for your carrier and gadget manufacturer to approve the updates and push them out over the air – which make take a while, or not happen at all.
Google's Play Store software can automatically install some of these patches regardless of whether or not you're using a Nexus. Unfortunately, some of the serious flaws listed above – in the kernel, Mediaserver and driver-land – cannot be fixed by the Play services, and thus you'll have to wait for the fixes to trundle their way over to you, if you're lucky.
So, either get a Nexus and automatic updates, or try not to run any dodgy apps or open any video files from people you don't trust. ®