This article is more than 1 year old
Android gets larger-than-usual patch bundle as researchers get to work
Monthly update goes out to Nexus owners, a few others
As a further sign that researchers are getting serious about finding holes in Android operating systems, Google has released one of its biggest ever monthly patch bundles, with 39 flaws fixed.
"The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," the update states. "There have been no reports of active customer exploitation or abuse of the other newly reported issues."
Of the 15 critical patches, eight cover mediaserver and Android's media center that are the hub of all music, messaging and video content users download. All allow remote code execution and this is the second month in a row of multiple patches for media handling, with a host of high and moderate fixes as well in this update.
The effects of Stagefright, the bug that prompted Google on the path of monthly updates – and the odd out-of-band patch – also linger. There's another critical patch that allows outsiders to install their own code on devices.
The Qualcomm Performance Module continued to give Android headaches, getting its third critical patch in three months. The company's RF component also needs an urgent fix.
A larger number of patches cover Android, oldest-supported 4.4 but there are plenty in newer versions too, particularly the most recent builds, and you can get the full list below:
Issue | CVE | Severity |
---|---|---|
Remote Code Execution Vulnerability in Mediaserver | CVE-2016-0835
CVE-2016-0836 CVE-2016-0837 CVE-2016-0838 CVE-2016-0839 CVE-2016-0840 CVE-2016-0841 |
Critical |
Remote Code Execution Vulnerability in Media Codec | CVE-2016-0834 | Critical |
Remote Code Execution Vulnerability in libstagefright | CVE-2016-0842 | Critical |
Elevation of Privilege Vulnerability in the Qualcomm Performance Component | CVE-2016-0843 | Critical |
Elevation of Privilege Vulnerability in Qualcomm RF Component | CVE-2016-0844 | Critical |
Elevation of Privilege Vulnerability in Kernel | CVE-2016-1805
CVE-2016-9322 |
Critical |
Remote Code Execution Vulnerability in DHCPCD | CVE-2016-1503
CVE-2014-6060 |
Critical |
Elevation of Privilege Vulnerability in IMemory Native Interface | CVE-2016-0846 | High |
Elevation of Privilege Vulnerability in Telecom Component | CVE-2016-0847 | High |
Elevation of Privilege Vulnerability in Download Manager | CVE-2016-0848 | High |
Elevation of Privilege Vulnerability in Recovery Procedure | CVE-2016-0849 | High |
Elevation of Privilege Vulnerability in Bluetooth | CVE-2016-0850 | High |
Elevation of Privilege Vulnerability in Texas Instruments Haptic Driver | CVE-2016-2409 | High |
Elevation of Privilege Vulnerability in a Video Kernel Driver | CVE-2016-2410 | High |
Elevation of Privilege Vulnerability in Qualcomm Power Management Component | CVE-2016-2411 | High |
Elevation of Privilege Vulnerability in System_server | CVE-2016-2412 | High |
Elevation of Privilege Vulnerability in Mediaserver | CVE-2016-2413 | High |
Denial of Service Vulnerability in Minikin | CVE-2016-2414 | High |
Information Disclosure Vulnerability in Exchange ActiveSync | CVE-2016-2415 | High |
Information Disclosure Vulnerability in Mediaserver | CVE-2016-2416
CVE-2016-2417 CVE-2016-2418 CVE-2016-2419 |
High |
Elevation of Privilege Vulnerability in Debuggerd Component | CVE-2016-2420 | Moderate |
Elevation of Privilege Vulnerability in Setup Wizard | CVE-2016-2421 | Moderate |
Elevation of Privilege Vulnerability in Wi-Fi | CVE-2016-2422 | Moderate |
Elevation of Privilege Vulnerability in Telephony | CVE-2016-2423 | Moderate |
Denial of Service Vulnerability in SyncStorageEngine | CVE-2016-2424 | Moderate |
Information Disclosure Vulnerability in AOSP Mail | CVE-2016-2425 | Moderate |
Information Disclosure Vulnerability in Framework | CVE-2016-2426 | Moderate |
Information Disclosure Vulnerability in BouncyCastle | CVE-2016-2427 | Moderate |
Judging from the size of the patch bundle, and the large and varied list of vulnerability contributors outside of the Chocolate Factory, it looks as though the Security Rewards scheme Google announced last July is paying dividends.
Researchers can earn up to $2,000 for a critical Android bug, but quadruple that if they also include a compatibility test suite to detect it, and a patch. But Google pays more for the big issues, as do others, and there's now a growing market of people making serious bounty money.
A regrettable number of Nexus owners tend to get rather smug on Android patching day, since they get the patches automatically. Those using other manufacturers' kit will have to wait and see. Samsung, LG are silent on the matter, although Blackphone users will probably be sorted out fastest of the non-Google phones. ®