Android's latest patches once again remind us: It's Nexus or bust if you want decent security
Or buy something that doesn't use a Qualcomm Snapdragon
Another month means another double bundle of security vulnerability patches for Android.
Google is sticking to the twin-release pattern it used last month: the first batch addresses flaws in Android's system-level software that everyone should install, and the second squashes bugs in hardware drivers and kernel-level code that not everyone needs.
The first patch set closes holes in Android 4.4.4 to the current build. Owners of Nexus gear will get these patches over-the-air very soon; everyone else will have to wait for their gadget makers and cellphone networks to issue them – which might be forever, leaving them forever vulnerable.
These holes include programming blunders in Mediaserver that can be exploited by a specially crafted MMS or an in-browser media file to potentially execute malicious code on a device. Getting a bad text or visiting an evil webpage could be enough to slip spyware onto your device, provided it is able to defeat ASLR and other defense mechanisms.
Mediaserver has other bugs, including four elevation-of-privileges holes allowing installed apps to gain more control of a device than they should, and code cockups that can crash a handheld.
The remaining patches address information leakages in the Wi-Fi, camera, SurfaceFlinger and Mediaserver code, and OpenSSL, all of which can be abused by installed apps to "access sensitive data without permission." The full list is here:
|Remote code execution vulnerability in Mediaserver||CVE-2016-3819, CVE-2016-3820, CVE-2016-3821||Critical||Yes|
|Remote code execution vulnerability in libjhead||CVE-2016-3822||High||Yes|
|Elevation of privilege vulnerability in Mediaserver||CVE-2016-3823, CVE-2016-3824, CVE-2016-3825, CVE-2016-3826||High||Yes|
|Denial of service vulnerability in Mediaserver||CVE-2016-3827, CVE-2016-3828, CVE-2016-3829, CVE-2016-3830||High||Yes|
|Denial of service vulnerability in system clock||CVE-2016-3831||High||Yes|
|Elevation of privilege vulnerability in framework APIs||CVE-2016-3832||Moderate||Yes|
|Elevation of privilege vulnerability in Shell||CVE-2016-3833||Moderate||Yes|
|Information disclosure vulnerability in OpenSSL||CVE-2016-2842||Moderate||Yes|
|Information disclosure vulnerability in camera APIs||CVE-2016-3834||Moderate||Yes|
|Information disclosure vulnerability in Mediaserver||CVE-2016-3835||Moderate||Yes|
|Information disclosure vulnerability in SurfaceFlinger||CVE-2016-3836||Moderate||Yes|
|Information disclosure vulnerability in Wi-Fi||CVE-2016-3837||Moderate||Yes|
|Denial of service vulnerability in system UI||CVE-2016-3838||Moderate||Yes|
|Denial of service vulnerability in Bluetooth||CVE-2016-3839||Moderate||Yes|
The second patch bundle contains fixes for driver-level code, and whether or not you need each of them depends on your hardware: if you have a chipset that introduces one of these vulnerabilities, you'll need to install a fix.
Nexus owners will get these automatically as necessary; other phone and tablet manufacturers may roll them out as and when they feel ready. That could be never in some cases.
The bundle predominantly fixes problems with Qualcomm's driver software – Qualy being the dominant Android system-on-chip designer, and its Snapdragon SoCs are used pretty much everywhere. These Qualcomm bugs are definitely ones to watch as these kinds of low-level flaws were used to blow apart Android's full-disk encryption system last month.
The patches includes fixes for Qualcomm's bootloader, and Qualcomm drivers for cameras, networking, sound, and video hardware. A malicious app on a Qualcomm-powered phone or tablet could exploit these to gain kernel-level access – completely hijacking the device, in other words. An app could use these holes to root a Nexus 5, 5X, 6, 6P and 7 so badly it would need a complete factory reset to undo the damage.
There are other bugs fixed in this batch because they can be exploited by malicious applications on Qualcomm-powered devices to access "sensitive data without explicit user permission." The full list is below:
|Remote code execution vulnerability in Qualcomm Wi‑Fi driver||CVE-2014-9902||Critical||Yes|
|Remote code execution vulnerability in Conscrypt||CVE-2016-3840||Critical||Yes|
|Elevation of privilege vulnerability in Qualcomm components||CVE-2014-9863, CVE-2014-9864, CVE-2014-9865, CVE-2014-9866, CVE-2014-9867, CVE-2014-9868, CVE-2014-9869, CVE-2014-9870, CVE-2014-9871, CVE-2014-9872, CVE-2014-9873, CVE-2014-9874, CVE-2014-9875, CVE-2014-9876, CVE-2014-9877, CVE-2014-9878, CVE-2014-9879, CVE-2014-9880, CVE-2014-9881, CVE-2014-9882, CVE-2014-9883, CVE-2014-9884, CVE-2014-9885, CVE-2014-9886, CVE-2014-9887, CVE-2014-9888, CVE-2014-9889, CVE-2014-9890, CVE-2014-9891, CVE-2015-8937, CVE-2015-8938, CVE-2015-8939, CVE-2015-8940, CVE-2015-8941, CVE-2015-8942, CVE-2015-8943||Critical||Yes|
|Elevation of privilege vulnerability in kernel networking component||CVE-2015-2686, CVE-2016-3841||Critical||Yes|
|Elevation of privilege vulnerability in Qualcomm GPU driver||CVE-2016-2504, CVE-2016-3842||Critical||Yes|
|Elevation of privilege vulnerability in Qualcomm performance component||CVE-2016-3843||Critical||Yes|
|Elevation of privilege vulnerability in kernel||CVE-2016-3857||Critical||Yes|
|Elevation of privilege vulnerability in kernel memory system||CVE-2015-1593, CVE-2016-3672||High||Yes|
|Elevation of privilege vulnerability in kernel sound component||CVE-2016-2544, CVE-2016-2546, CVE-2014-9904||High||Yes|
|Elevation of privilege vulnerability in kernel file system||CVE-2012-6701||High||Yes|
|Elevation of privilege vulnerability in Mediaserver||CVE-2016-3844||High||Yes|
|Elevation of privilege vulnerability in kernel video driver||CVE-2016-3845||High||Yes|
|Elevation of privilege vulnerability in Serial Peripheral Interface driver||CVE-2016-3846||High||Yes|
|Elevation of privilege vulnerability in NVIDIA media driver||CVE-2016-3847, CVE-2016-3848||High||Yes|
|Elevation of privilege vulnerability in ION driver||CVE-2016-3849||High||Yes|
|Elevation of privilege vulnerability in Qualcomm bootloader||CVE-2016-3850||High||Yes|
|Elevation of privilege vulnerability in kernel performance subsystem||CVE-2016-3843||High||Yes|
|Elevation of privilege vulnerability in LG Electronics bootloader||CVE-2016-3851||High||Yes|
|Information disclosure vulnerability in Qualcomm components||CVE-2014-9892, CVE-2014-9893, CVE-2014-9894, CVE-2014-9895, CVE-2014-9896, CVE-2014-9897, CVE-2014-9898, CVE-2014-9899, CVE-2014-9900, CVE-2015-8944||High||Yes|
|Information disclosure vulnerability in kernel scheduler||CVE-2014-9903||High||Yes|
|Information disclosure vulnerability in MediaTek Wi-Fi driver||CVE-2016-3852||High||Yes|
|Information disclosure vulnerability in USB driver||CVE-2016-4482||High||Yes|
|Denial of service vulnerability in Qualcomm components||CVE-2014-9901||High||Yes|
|Elevation of privilege vulnerability in Google Play services||CVE-2016-3853||Moderate||Yes|
|Elevation of privilege vulnerability in Framework APIs||CVE-2016-2497||Moderate||Yes|
|Information disclosure vulnerability in kernel networking component||CVE-2016-4578||Moderate||Yes|
|Information disclosure vulnerability in kernel sound component||CVE-2016-4569, CVE-2016-4578||Moderate||Yes|
|Vulnerabilities in Qualcomm components||CVE-2016-3854, CVE-2016-3855, CVE-2016-3856||High||No|
Based on past experience, Nexus users are going to get both sets of patches within the next seven days. Other Android users may have to wait an awful lot longer – during which time, they'll be potentially vulnerable to attack. ®
PS: Yeah, yeah, BlackBerry's Priv and DETK50 Androids get patches at the same time as Nexuses. We know. Good for them.