Google this week released the December 2016 set of monthly patches for the Android platform which resolved a total of 74 vulnerabilities, 11 which were rated Critical severity.
The December 2016 Android Security Bulletin has been split in two, namely the 2016-12-01 security patch level, which includes 16 fixes (10 High severity and 6 Medium risk) and the 2016-12-05 security patch level, which includes 58 patches (11 Critical risk, 33 High severity, and 14 Medium risk).
The 16 fixes included in the 2016-12-01 security patch level affect Android versions 4.4.4 and newer, with Android 7.0 being the most affected platform release. Only two of the vulnerabilities fixed by this patch level doesn’t affect Android 7.0, while four are exclusive to this platform iteration, Google’s advisory reveals.
The High risk flaws resolved in this release included three remote code execution vulnerabilities in CURL/LIBCURL impacting Android 7.0, an elevation of privilege vulnerability in libziparchive and a remote Code Execution vulnerability in Framesequence library impacting all 5.0.2 and newer operating system releases, a Denial of service vulnerability in Telephony and four similar issues in Mediaserver, affecting Android 4.4.4 and newer OS versions.
The Moderate severity bugs included Elevation of privilege vulnerabilities in Smart Lock, Framework APIs, Telephony, and Wi-Fi, along with Information disclosure flaws in Mediaserver and Package Manager. Devices running Android 4.4.4 and newer platform releases are impacted by these bugs.
The most important of the Critical fixes included in the 2016-12-05 security patch level is for a vulnerability tracked as CVE-2016-5195, but better known as Dirty COW. The Elevation of privilege vulnerability was found in Linux kernel, but the Android kernel memory subsystem was impacted as well, and exploits that abuse it were already made public.
In last month’s round of Android patches, Google included a patch level dedicated to the Dirty COW vulnerability, revealing that all devices running security patch level of 2016-11-06 would no longer be impacted by the bug. However, the company decided to roll out the actual patch for Nexus and Pixel devices only as part of this month’s set of updates.
The 2016-12-05 security patch level resolves a second Critical severity elevation of privilege vulnerability in kernel memory subsystem, tracked as CVE-2016-4794 and impacting Pixel C, Pixel, and Pixel XL devices. Other Critical Elevation of privilege flaws patched this month were found in NVIDIA GPU driver, kernel, NVIDIA video driver, kernel ION driver, and the Qualcomm MSM interface.
Most of the High severity flaws resolved by this patch level were Elevation of privilege bugs as well, affecting the kernel file system, kernel, HTC sound codec driver, MediaTek driver, Qualcomm media codecs, Qualcomm camera driver, kernel performance subsystem, MediaTek I2C driver, NVIDIA libomx library, Qualcomm sound driver, kernel security subsystem, Synaptics touchscreen driver, and Broadcom Wi-Fi driver.
Other resolved High risk issues include Information disclosure flaws in MediaTek video driver and NVIDIA video driver, along with Denial of service vulnerabilities in GPS and NVIDIA camera driver.
The 14 Medium risk fixes in this patch series resolve an Elevation of privilege vulnerability in kernel networking subsystem, along with 13 Information disclosure flaws in Qualcomm components, NVIDIA librm library, kernel components (such as the ION subsystem, Binder, USB driver and networking subsystem), NVIDIA video driver, and Qualcomm sound driver.
Related: Google Patches 23 Critical Vulnerabilities in Android