Android's latest patches once again remind us: It's Nexus or bust if you want decent security

Or buy something that doesn't use a Qualcomm Snapdragon

Android patch

Another month means another double bundle of security vulnerability patches for Android.

Google is sticking to the twin-release pattern it used last month: the first batch addresses flaws in Android's system-level software that everyone should install, and the second squashes bugs in hardware drivers and kernel-level code that not everyone needs.

The first patch set closes holes in Android 4.4.4 to the current build. Owners of Nexus gear will get these patches over-the-air very soon; everyone else will have to wait for their gadget makers and cellphone networks to issue them – which might be forever, leaving them forever vulnerable.

These holes include programming blunders in Mediaserver that can be exploited by a specially crafted MMS or an in-browser media file to potentially execute malicious code on a device. Getting a bad text or visiting an evil webpage could be enough to slip spyware onto your device, provided it is able to defeat ASLR and other defense mechanisms.

Mediaserver has other bugs, including four elevation-of-privileges holes allowing installed apps to gain more control of a device than they should, and code cockups that can crash a handheld.

The remaining patches address information leakages in the Wi-Fi, camera, SurfaceFlinger and Mediaserver code, and OpenSSL, all of which can be abused by installed apps to "access sensitive data without permission." The full list is here:

Issue CVE Severity Affects Nexus?
Remote code execution vulnerability in Mediaserver CVE-2016-3819, CVE-2016-3820, CVE-2016-3821 Critical Yes
Remote code execution vulnerability in libjhead CVE-2016-3822 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2016-3823, CVE-2016-3824, CVE-2016-3825, CVE-2016-3826 High Yes
Denial of service vulnerability in Mediaserver CVE-2016-3827, CVE-2016-3828, CVE-2016-3829, CVE-2016-3830 High Yes
Denial of service vulnerability in system clock CVE-2016-3831 High Yes
Elevation of privilege vulnerability in framework APIs CVE-2016-3832 Moderate Yes
Elevation of privilege vulnerability in Shell CVE-2016-3833 Moderate Yes
Information disclosure vulnerability in OpenSSL CVE-2016-2842 Moderate Yes
Information disclosure vulnerability in camera APIs CVE-2016-3834 Moderate Yes
Information disclosure vulnerability in Mediaserver CVE-2016-3835 Moderate Yes
Information disclosure vulnerability in SurfaceFlinger CVE-2016-3836 Moderate Yes
Information disclosure vulnerability in Wi-Fi CVE-2016-3837 Moderate Yes
Denial of service vulnerability in system UI CVE-2016-3838 Moderate Yes
Denial of service vulnerability in Bluetooth CVE-2016-3839 Moderate Yes

The second patch bundle contains fixes for driver-level code, and whether or not you need each of them depends on your hardware: if you have a chipset that introduces one of these vulnerabilities, you'll need to install a fix.

Nexus owners will get these automatically as necessary; other phone and tablet manufacturers may roll them out as and when they feel ready. That could be never in some cases.

The bundle predominantly fixes problems with Qualcomm's driver software – Qualy being the dominant Android system-on-chip designer, and its Snapdragon SoCs are used pretty much everywhere. These Qualcomm bugs are definitely ones to watch as these kinds of low-level flaws were used to blow apart Android's full-disk encryption system last month.

The patches includes fixes for Qualcomm's bootloader, and Qualcomm drivers for cameras, networking, sound, and video hardware. A malicious app on a Qualcomm-powered phone or tablet could exploit these to gain kernel-level access – completely hijacking the device, in other words. An app could use these holes to root a Nexus 5, 5X, 6, 6P and 7 so badly it would need a complete factory reset to undo the damage.

There are other bugs fixed in this batch because they can be exploited by malicious applications on Qualcomm-powered devices to access "sensitive data without explicit user permission." The full list is below:

Issue CVE Severity Affects Nexus?
Remote code execution vulnerability in Qualcomm Wi‑Fi driver CVE-2014-9902 Critical Yes
Remote code execution vulnerability in Conscrypt CVE-2016-3840 Critical Yes
Elevation of privilege vulnerability in Qualcomm components CVE-2014-9863, CVE-2014-9864, CVE-2014-9865, CVE-2014-9866, CVE-2014-9867, CVE-2014-9868, CVE-2014-9869, CVE-2014-9870, CVE-2014-9871, CVE-2014-9872, CVE-2014-9873, CVE-2014-9874, CVE-2014-9875, CVE-2014-9876, CVE-2014-9877, CVE-2014-9878, CVE-2014-9879, CVE-2014-9880, CVE-2014-9881, CVE-2014-9882, CVE-2014-9883, CVE-2014-9884, CVE-2014-9885, CVE-2014-9886, CVE-2014-9887, CVE-2014-9888, CVE-2014-9889, CVE-2014-9890, CVE-2014-9891, CVE-2015-8937, CVE-2015-8938, CVE-2015-8939, CVE-2015-8940, CVE-2015-8941, CVE-2015-8942, CVE-2015-8943 Critical Yes
Elevation of privilege vulnerability in kernel networking component CVE-2015-2686, CVE-2016-3841 Critical Yes
Elevation of privilege vulnerability in Qualcomm GPU driver CVE-2016-2504, CVE-2016-3842 Critical Yes
Elevation of privilege vulnerability in Qualcomm performance component CVE-2016-3843 Critical Yes
Elevation of privilege vulnerability in kernel CVE-2016-3857 Critical Yes
Elevation of privilege vulnerability in kernel memory system CVE-2015-1593, CVE-2016-3672 High Yes
Elevation of privilege vulnerability in kernel sound component CVE-2016-2544, CVE-2016-2546, CVE-2014-9904 High Yes
Elevation of privilege vulnerability in kernel file system CVE-2012-6701 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2016-3844 High Yes
Elevation of privilege vulnerability in kernel video driver CVE-2016-3845 High Yes
Elevation of privilege vulnerability in Serial Peripheral Interface driver CVE-2016-3846 High Yes
Elevation of privilege vulnerability in NVIDIA media driver CVE-2016-3847, CVE-2016-3848 High Yes
Elevation of privilege vulnerability in ION driver CVE-2016-3849 High Yes
Elevation of privilege vulnerability in Qualcomm bootloader CVE-2016-3850 High Yes
Elevation of privilege vulnerability in kernel performance subsystem CVE-2016-3843 High Yes
Elevation of privilege vulnerability in LG Electronics bootloader CVE-2016-3851 High Yes
Information disclosure vulnerability in Qualcomm components CVE-2014-9892, CVE-2014-9893, CVE-2014-9894, CVE-2014-9895, CVE-2014-9896, CVE-2014-9897, CVE-2014-9898, CVE-2014-9899, CVE-2014-9900, CVE-2015-8944 High Yes
Information disclosure vulnerability in kernel scheduler CVE-2014-9903 High Yes
Information disclosure vulnerability in MediaTek Wi-Fi driver CVE-2016-3852 High Yes
Information disclosure vulnerability in USB driver CVE-2016-4482 High Yes
Denial of service vulnerability in Qualcomm components CVE-2014-9901 High Yes
Elevation of privilege vulnerability in Google Play services CVE-2016-3853 Moderate Yes
Elevation of privilege vulnerability in Framework APIs CVE-2016-2497 Moderate Yes
Information disclosure vulnerability in kernel networking component CVE-2016-4578 Moderate Yes
Information disclosure vulnerability in kernel sound component CVE-2016-4569, CVE-2016-4578 Moderate Yes
Vulnerabilities in Qualcomm components CVE-2016-3854, CVE-2016-3855, CVE-2016-3856 High No

Based on past experience, Nexus users are going to get both sets of patches within the next seven days. Other Android users may have to wait an awful lot longer – during which time, they'll be potentially vulnerable to attack. ®

PS: Yeah, yeah, BlackBerry's Priv and DETK50 Androids get patches at the same time as Nexuses. We know. Good for them.


Biting the hand that feeds IT © 1998–2017