nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Android gets larger-than-usual patch bundle as researchers get to work

Monthly update goes out to Nexus owners, a few others

By Iain Thomson, 5 Apr 2016

As a further sign that researchers are getting serious about finding holes in Android operating systems, Google has released one of its biggest ever monthly patch bundles, with 39 flaws fixed.

"The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," the update states. "There have been no reports of active customer exploitation or abuse of the other newly reported issues."

Of the 15 critical patches, eight cover mediaserver and Android's media center that are the hub of all music, messaging and video content users download. All allow remote code execution and this is the second month in a row of multiple patches for media handling, with a host of high and moderate fixes as well in this update.

The effects of Stagefright, the bug that prompted Google on the path of monthly updates – and the odd out-of-band patch – also linger. There's another critical patch that allows outsiders to install their own code on devices.

The Qualcomm Performance Module continued to give Android headaches, getting its third critical patch in three months. The company's RF component also needs an urgent fix.

A larger number of patches cover Android, oldest-supported 4.4 but there are plenty in newer versions too, particularly the most recent builds, and you can get the full list below:

Issue CVE Severity
Remote Code Execution Vulnerability in Mediaserver CVE-2016-0835

CVE-2016-0836

CVE-2016-0837

CVE-2016-0838

CVE-2016-0839

CVE-2016-0840

CVE-2016-0841

Critical
Remote Code Execution Vulnerability in Media Codec CVE-2016-0834 Critical
Remote Code Execution Vulnerability in libstagefright CVE-2016-0842 Critical
Elevation of Privilege Vulnerability in the Qualcomm Performance Component CVE-2016-0843 Critical
Elevation of Privilege Vulnerability in Qualcomm RF Component CVE-2016-0844 Critical
Elevation of Privilege Vulnerability in Kernel CVE-2016-1805

CVE-2016-9322

Critical
Remote Code Execution Vulnerability in DHCPCD CVE-2016-1503

CVE-2014-6060

Critical
Elevation of Privilege Vulnerability in IMemory Native Interface CVE-2016-0846 High
Elevation of Privilege Vulnerability in Telecom Component CVE-2016-0847 High
Elevation of Privilege Vulnerability in Download Manager CVE-2016-0848 High
Elevation of Privilege Vulnerability in Recovery Procedure CVE-2016-0849 High
Elevation of Privilege Vulnerability in Bluetooth CVE-2016-0850 High
Elevation of Privilege Vulnerability in Texas Instruments Haptic Driver CVE-2016-2409 High
Elevation of Privilege Vulnerability in a Video Kernel Driver CVE-2016-2410 High
Elevation of Privilege Vulnerability in Qualcomm Power Management Component CVE-2016-2411 High
Elevation of Privilege Vulnerability in System_server CVE-2016-2412 High
Elevation of Privilege Vulnerability in Mediaserver CVE-2016-2413 High
Denial of Service Vulnerability in Minikin CVE-2016-2414 High
Information Disclosure Vulnerability in Exchange ActiveSync CVE-2016-2415 High
Information Disclosure Vulnerability in Mediaserver CVE-2016-2416

CVE-2016-2417

CVE-2016-2418

CVE-2016-2419

High
Elevation of Privilege Vulnerability in Debuggerd Component CVE-2016-2420 Moderate
Elevation of Privilege Vulnerability in Setup Wizard CVE-2016-2421 Moderate
Elevation of Privilege Vulnerability in Wi-Fi CVE-2016-2422 Moderate
Elevation of Privilege Vulnerability in Telephony CVE-2016-2423 Moderate
Denial of Service Vulnerability in SyncStorageEngine CVE-2016-2424 Moderate
Information Disclosure Vulnerability in AOSP Mail CVE-2016-2425 Moderate
Information Disclosure Vulnerability in Framework CVE-2016-2426 Moderate
Information Disclosure Vulnerability in BouncyCastle CVE-2016-2427 Moderate

Judging from the size of the patch bundle, and the large and varied list of vulnerability contributors outside of the Chocolate Factory, it looks as though the Security Rewards scheme Google announced last July is paying dividends.

Researchers can earn up to $2,000 for a critical Android bug, but quadruple that if they also include a compatibility test suite to detect it, and a patch. But Google pays more for the big issues, as do others, and there's now a growing market of people making serious bounty money.

A regrettable number of Nexus owners tend to get rather smug on Android patching day, since they get the patches automatically. Those using other manufacturers' kit will have to wait and see. Samsung, LG are silent on the matter, although Blackphone users will probably be sorted out fastest of the non-Google phones. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing