Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Patches 40 Vulnerabilities in Android

Google’s May 2016 security update for the Android operating system patches a total of 40 vulnerabilities, including many rated critical and high severity.

Google’s May 2016 security update for the Android operating system patches a total of 40 vulnerabilities, including many rated critical and high severity.

The list of critical issues includes another round of remote code execution flaws in mediaserver, and privilege escalation vulnerabilities in the Android debugger, the Qualcomm TrustZone component, the Qualcomm Wi-Fi driver, the kernel, and the NVIDIA video driver.

The mediaserver flaws allow an attacker to remotely execute code within the context of the mediaserver service. The privilege escalation weaknesses allow a local malicious application to execute arbitrary code in the context of the Android debugger or the kernel.

The critical vulnerabilities have been assigned the following CVE identifiers: CVE-2016-2428, CVE-2016-2429, CVE-2016-2430, CVE-2016-2431, CVE-2016-2432, CVE-2015-0569, CVE-2015-0570, CVE-2016-2434, CVE-2016-2435, CVE-2016-2436, CVE-2016-2437 and CVE-2015-1805.

The high severity issues patched by Google with this month’s Android updates include remote code execution vulnerabilities in the kernel and Bluetooth, and privilege elevation flaws in various Qualcomm components, Wi-Fi, mediaserver, the MediaTek Wi-Fi driver, and Binder. An information disclosure vulnerability in the Qualcomm tethering controller and a remote denial-of-service (DoS) vulnerability in the Qualcomm hardware codec have also been classified as having high severity.

The CVE identifiers assigned to these flaws are CVE-2016-2438, CVE-2016-2060, CVE-2016-2439, CVE-2016-2440, CVE-2016-2441, CVE-2016-2442, CVE-2016-2443, CVE-2015-0571, CVE-2016-2444, CVE-2016-2445, CVE-2016-2446, CVE-2016-2447, CVE-2016-2448, CVE-2016-2449, CVE-2016-2450, CVE-2016-2451, CVE-2016-2452, CVE-2016-2453 and CVE-2016-2454.

The Android update also resolves several moderate severity issues, including privilege escalation and information disclosure vulnerabilities. Only one of the 40 flaws patched this month has been rated as low severity – a DoS bug affecting the kernel.

The vulnerabilities patched by Google with the May 2016 update were reported between October 15, 2015, and March 23 by independent researchers and experts affiliated with Google, e2e-assure, C0re Team, FireEye, Qihoo 360, Search-Lab, Tencent, Trend Micro, Alibaba and Baidu.

Advertisement. Scroll to continue reading.

A security update that includes patches for most of the flaws has been pushed out to Nexus devices. Google has notified its partners about the issues on April 4 or earlier, and it will publish the source code patches on the Android Open Source Project (AOSP) repository sometime over the next couple of days.

Google also announced that it has updated severity ratings in an effort to better align them with real world impact to users.

In addition to regular Android security updates, Google sometimes releases emergency patches to address critical vulnerabilities that require immediate attention. In March, the search giant issued an update to fix a local privilege escalation flaw that had been exploited by a rooting application.

Related: Android Ransomware Dropped via Towelroot, Hacking Team Exploits

Related: Google Patches Critical Vulnerabilities in Android

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights