Google melts 78 Android security holes, two of which were critical

Chinese hackers thanked for help finding flaws

Google has crushed 78 Android security flaws in its October bug blitzkrieg, repairing critical core Android services along the way.

The patch parade sees the tech giant return to a high-double-digit patch run after issuing only 47 fixes last month and a whopping 103 in August.

The updates are split into essential Android system-level software flaws, recommended hardware drivers and kernel-level flaws.

Google appears not to have felled any bugs worthy of a name, logo, and a website, but did stomp on five critical holes including two remote code execution kernel bugs, two privilege escalation, and clobbered Qualcomm componentry (CVE-2016-3926, CVE-2016-3927, CVE-2016-3929).

The critical bugs could allow attackers to permanently bork all Nexus devices requiring users to re-flash their operating systems and lose all unprotected data.

The first of these (CVE-2016-7117) lies in the kernel networking subsystem allowing remote attackers to execute arbitrary code in the context of the kernel.

Another critical hole (CVE-2016-0758 ) allows installed apps to execute arbitrary code within the context of the kernel via an elevation of privilege vulnerability in the kernel ASN.1 decoder.

Those are joined by 44 high-severity holes, many of which were privilege escalation, affecting the zygote process, mediaserver, and lock screen among other services.

Mountain View flushed 14 moderate-severity bugs, three of which were privilege escalation, with one information disclosure hole and a lone denial of service wi-fi hole.

Android engineers fixed one lonely low-severity denial of service vulnerability in kernel sound driver which VXer jerks could use to reboot devices.

Google thanked its cadre of external and internal security researchers who found the bugs. An increasing number of those hail from China where bug bashing appears to have become a sport notably among the vulnerability chaingun house Qihoo 360.

The company again yelled into the Android ecosystem echo chamber in a deflated bid to get vendors to apply patches to their custom ROMs. ®

Issue CVE Severity Affects Nexus?
Elevation of privilege vulnerability in ServiceManager CVE-2016-3900 High Yes
Elevation of privilege vulnerability in Lock Settings Service CVE-2016-3908 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2016-3909, CVE-2016-3910, CVE-2016-3913 High Yes
Elevation of privilege vulnerability in Zygote process CVE-2016-3911 High Yes
Elevation of privilege vulnerability in framework APIs CVE-2016-3912 High Yes
Elevation of privilege vulnerability in Telephony CVE-2016-3914 High Yes
Elevation of privilege vulnerability in Camera service CVE-2016-3915, CVE-2016-3916 High Yes
Elevation of privilege vulnerability in fingerprint login CVE-2016-3917 High Yes
Information disclosure vulnerability in AOSP Mail CVE-2016-3918 High Yes
Denial of service vulnerability in Wi-Fi CVE-2016-3882 High Yes
Denial of service vulnerability in GPS CVE-2016-5348 High Yes
Denial of service vulnerability in Mediaserver CVE-2016-3920 High Yes
Elevation of privilege vulnerability in Framework Listener CVE-2016-3921 Moderate Yes
Elevation of privilege vulnerability in Telephony CVE-2016-3922 Moderate Yes
Elevation of privilege vulnerability in Accessibility services CVE-2016-3923 Moderate Yes
Information disclosure vulnerability in Mediaserver CVE-2016-3924 Moderate Yes
Denial of service vulnerability in Wi-Fi CVE-2016-3925 Moderate Yes
2016-10-05 security patch level—Vulnerability summary
 
Issue CVE Severity Affects Nexus?
Remote code execution vulnerability in kernel ASN.1 decoder CVE-2016-0758 Critical Yes
Remote code execution vulnerability in kernel networking subsystem CVE-2016-7117 Critical Yes
Elevation of privilege vulnerability in MediaTek video driver CVE-2016-3928 Critical No
Elevation of privilege vulnerability in kernel shared memory driver CVE-2016-5340 Critical Yes
Vulnerabilities in Qualcomm components CVE-2016-3926, CVE-2016-3927, CVE-2016-3929 Critical Yes
Elevation of privilege vulnerability in Qualcomm networking component CVE-2016-2059 High Yes
Elevation of privilege vulnerability in NVIDIA MMC test driver CVE-2016-3930 High Yes
Elevation of privilege vulnerability in Qualcomm Secure Execution Environment Communicator driver CVE-2016-3931 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2016-3932, CVE-2016-3933 High Yes
Elevation of privilege vulnerability in Qualcomm camera driver CVE-2016-3903, CVE-2016-3934 High Yes
Elevation of privilege vulnerability in Qualcomm sound driver CVE-2015-8951 High Yes
Elevation of privilege vulnerability in Qualcomm crypto engine driver CVE-2016-3901, CVE-2016-3935 High No
Elevation of privilege vulnerability in MediaTek video driver CVE-2016-3936, CVE-2016-3937 High Yes
Elevation of privilege vulnerability in Qualcomm video driver CVE-2016-3938, CVE-2016-3939 High Yes
Elevation of privilege vulnerability in Synaptics touchscreen driver CVE-2016-3940, CVE-2016-6672 High Yes
Elevation of privilege vulnerability in NVIDIA camera driver CVE-2016-6673 High Yes
Elevation of privilege vulnerability in system_server CVE-2016-6674 High Yes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver CVE-2016-3905, CVE-2016-6675, CVE-2016-6676, CVE-2016-5342 High Yes
Elevation of privilege vulnerability in kernel performance subsystem CVE-2015-8955 High Yes
Information disclosure vulnerability in kernel ION subsystem CVE-2015-8950 High Yes
Information disclosure vulnerability in NVIDIA GPU driver CVE-2016-6677 High Yes
Elevation of privilege vulnerability in Qualcomm character driver CVE-2015-0572 Moderate Yes
Information disclosure vulnerability in Qualcomm sound driver CVE-2016-3860 Moderate Yes
Information disclosure vulnerability in Motorola USBNet driver CVE-2016-6678 Moderate Yes
Information disclosure vulnerability in Qualcomm components CVE-2016-6679, CVE-2016-3902, CVE-2016-6680, CVE-2016-6681, CVE-2016-6682 Moderate Yes
Information disclosure vulnerability in kernel components CVE-2016-6683, CVE-2016-6684, CVE-2015-8956, CVE-2016-6685 Moderate Yes
Information disclosure vulnerability in NVIDIA profiler CVE-2016-6686, CVE-2016-6687, CVE-2016-6688 Moderate Yes
Information disclosure vulnerability in kernel CVE-2016-6689 Moderate Yes
Denial of service vulnerability in kernel networking subsystem CVE-2016-5696 Moderate Yes
Denial of service vulnerability in kernel sound driver CVE-2016-6690 Low Yes
Vulnerabilities in Qualcomm components CVE-2016-6691, CVE-2016-6692, CVE-2016-6693, CVE-2016-6694, CVE-2016-6695, CVE-2016-6696, CVE-2016-5344, CVE-2016-5343 High No

®


Biting the hand that feeds IT © 1998–2017