Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Patches 74 Vulnerabilities in Android

Google this week released the December 2016 set of monthly patches for the Android platform which resolved a total of 74 vulnerabilities, 11 which were rated Critical severity.

Google this week released the December 2016 set of monthly patches for the Android platform which resolved a total of 74 vulnerabilities, 11 which were rated Critical severity.

The December 2016 Android Security Bulletin has been split in two, namely the 2016-12-01 security patch level, which includes 16 fixes (10 High severity and 6 Medium risk) and the 2016-12-05 security patch level, which includes 58 patches (11 Critical risk, 33 High severity, and 14 Medium risk).

The 16 fixes included in the 2016-12-01 security patch level affect Android versions 4.4.4 and newer, with Android 7.0 being the most affected platform release. Only two of the vulnerabilities fixed by this patch level doesn’t affect Android 7.0, while four are exclusive to this platform iteration, Google’s advisory reveals.

The High risk flaws resolved in this release included three remote code execution vulnerabilities in CURL/LIBCURL impacting Android 7.0, an elevation of privilege vulnerability in libziparchive and a remote Code Execution vulnerability in Framesequence library impacting all 5.0.2 and newer operating system releases, a Denial of service vulnerability in Telephony and four similar issues in Mediaserver, affecting Android 4.4.4 and newer OS versions.

The Moderate severity bugs included Elevation of privilege vulnerabilities in Smart Lock, Framework APIs, Telephony, and Wi-Fi, along with Information disclosure flaws in Mediaserver and Package Manager. Devices running Android 4.4.4 and newer platform releases are impacted by these bugs.

The most important of the Critical fixes included in the 2016-12-05 security patch level is for a vulnerability tracked as CVE-2016-5195, but better known as Dirty COW. The Elevation of privilege vulnerability was found in Linux kernel, but the Android kernel memory subsystem was impacted as well, and exploits that abuse it were already made public.

In last month’s round of Android patches, Google included a patch level dedicated to the Dirty COW vulnerability, revealing that all devices running security patch level of 2016-11-06 would no longer be impacted by the bug. However, the company decided to roll out the actual patch for Nexus and Pixel devices only as part of this month’s set of updates.

The 2016-12-05 security patch level resolves a second Critical severity elevation of privilege vulnerability in kernel memory subsystem, tracked as CVE-2016-4794 and impacting Pixel C, Pixel, and Pixel XL devices. Other Critical Elevation of privilege flaws patched this month were found in NVIDIA GPU driver, kernel, NVIDIA video driver, kernel ION driver, and the Qualcomm MSM interface.

Advertisement. Scroll to continue reading.

Most of the High severity flaws resolved by this patch level were Elevation of privilege bugs as well, affecting the kernel file system, kernel, HTC sound codec driver, MediaTek driver, Qualcomm media codecs, Qualcomm camera driver, kernel performance subsystem, MediaTek I2C driver, NVIDIA libomx library, Qualcomm sound driver, kernel security subsystem, Synaptics touchscreen driver, and Broadcom Wi-Fi driver.

Other resolved High risk issues include Information disclosure flaws in MediaTek video driver and NVIDIA video driver, along with Denial of service vulnerabilities in GPS and NVIDIA camera driver.

The 14 Medium risk fixes in this patch series resolve an Elevation of privilege vulnerability in kernel networking subsystem, along with 13 Information disclosure flaws in Qualcomm components, NVIDIA librm library, kernel components (such as the ION subsystem, Binder, USB driver and networking subsystem), NVIDIA video driver, and Qualcomm sound driver.

Related: Google Patches 23 Critical Vulnerabilities in Android

Related: Google Patches 78 Vulnerabilities in Android

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.