3-in-4 Android phones, slabs, gizmos menaced by fresh hijack flaws

Another month, another round of critical vulnerabilities patched by Google

android_toys_648

Google has today issued a bundle of 40 security patches for its Android operating system.

A dozen of the fixes correct critical vulnerabilities in versions 4.4.4 of the operating system and above. About 74 per cent of in-use Android devices run Android 4.4.4 or higher.

These critical bugs can be potentially exploited by miscreants to hijack millions of vulnerable handsets, tablets and other Android gadgets, install malware on the devices, and spy on people.

Opening a malicious video file could lead to remote-code execution. Apps can infiltrate Qualcomm's TrustZone kernel, which is supposed to be a secure area away from Android where things like fingerprint readers are controlled. Drivers by Qualcomm and Nvidia can be exploited by apps to gain extra privileges.

Hackers have to dodge Android's built-in defenses to succeed, but this is not an impossible task. Never mind that, though, Google has decided to tweak the name of its monthly security patches.

"To reflect a broader focus, we renamed this bulletin (and all following in the series) to the Android Security Bulletin. These bulletins encompass a broader range of vulnerabilities that may affect Android devices, even if they do not affect Nexus devices," the Android advisory said.

"We updated the Android Security severity ratings. These changes were the result of data collected over the last six months on reported security vulnerabilities and aim to align severities more closely with real world impact to users."

Here's the full list of bugs blatted by today's patch bundle:

Issue CVE Severity Affects Nexus?
Remote Code Execution Vulnerability in Mediaserver CVE-2016-2428
CVE-2016-2429
Critical Yes
Elevation of Privilege Vulnerability in Debuggerd CVE-2016-2430 Critical Yes
Elevation of Privilege Vulnerability in Qualcomm TrustZone CVE-2016-2431
CVE-2016-2432
Critical Yes
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver CVE-2015-0569
CVE-2015-0570
Critical Yes
Elevation of Privilege Vulnerability in NVIDIA Video Driver CVE-2016-2434
CVE-2016-2435
CVE-2016-2436
CVE-2016-2437
Critical Yes
Elevation of Privilege Vulnerability in Kernel CVE-2015-1805 Critical Yes
Remote Code Execution Vulnerability in Kernel CVE-2016-2438 High Yes
Information Disclosure Vulnerability in Qualcomm Tethering Controller CVE-2016-2060 High No
Remote Code Execution in Bluetooth CVE-2016-2439 High Yes
Elevation of Privilege in Binder CVE-2016-2440 High Yes
Elevation of Privilege Vulnerability in Qualcomm Buspm Driver CVE-2016-2441
CVE-2016-2442
High Yes
Elevation of Privilege Vulnerability in Qualcomm MDP Driver CVE-2016-2443 High Yes
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver CVE-2015-0571 High Yes
Elevation of Privilege Vulnerability in NVIDIA Video Driver CVE-2016-2444
CVE-2016-2445
CVE-2016-2446
High Yes
Elevation of Privilege in Wi-Fi CVE-2016-2447 High Yes
Elevation of Privilege Vulnerability in Mediaserver CVE-2016-2448
CVE-2016-2449
CVE-2016-2450
CVE-2016-2451
CVE-2016-2452
High Yes
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver CVE-2016-2453 High Yes
Remote Denial of Service Vulnerability in Qualcomm Hardware Codec CVE-2016-2454 High Yes
Elevation of Privilege in Conscrypt CVE-2016-2461
CVE-2016-2462
Moderate Yes
Elevation of Privilege Vulnerability in OpenSSL & BoringSSL CVE-2016-0705 Moderate Yes
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver CVE-2016-2456 Moderate Yes
Elevation of Privilege in Wi-Fi CVE-2016-2457 Moderate Yes
Information Disclosure Vulnerability in AOSP Mail CVE-2016-2458 Moderate Yes
Information Disclosure Vulnerability in Mediaserver CVE-2016-2459
CVE-2016-2460
Moderate Yes
Denial of Service Vulnerability in Kernel CVE-2016-0774 Low Yes

It's clear Android's media handling capabilities are still requiring frequent updates – partly because new flaws are being found, and video files are a good way to slip malicious code into victims' devices.

The Android debugger also has a critical flaw that allows remote code execution and would require a complete operating system re-flash to fix. Thankfully there are no reports of it being exploited in the wild. Third-party hardware is also getting a lot of patches. Qualcomm gets 10 patches four of them critical, and Nvidia gets the same number for its kit.

Nexus 5, 6, 7 and 9 devices are all covered in this month's round, as well as Android One budget phones for developing markets: Nexus users will get all of these patches installed automatically over-the-air shortly.

If you don't have a Nexus device, you'll have to wait for your carrier and gadget manufacturer to approve the updates and push them out over the air – which make take a while, or not happen at all.

Google's Play Store software can automatically install some of these patches regardless of whether or not you're using a Nexus. Unfortunately, some of the serious flaws listed above – in the kernel, Mediaserver and driver-land – cannot be fixed by the Play services, and thus you'll have to wait for the fixes to trundle their way over to you, if you're lucky.

So, either get a Nexus and automatic updates, or try not to run any dodgy apps or open any video files from people you don't trust. ®


Biting the hand that feeds IT © 1998–2017