Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Patches 78 Vulnerabilities in Android

Google this week released another set of monthly patches for the Android mobile operating system, in an attempt to address no less than 78 security vulnerabilities.

Google this week released another set of monthly patches for the Android mobile operating system, in an attempt to address no less than 78 security vulnerabilities.

Just as it has over the past few months, Google split the October 2016 security patches in two, each focused on specific issues. The 2016-10-01 security patch level addresses 20 vulnerabilities in various platform components, while the 2016-10-05 security patch level plugs 58 flaws in kernel subsystems, drivers, and OEM components.

The 20 issues resolved with the 2016-10-01 security patch level affect all Nexus devices and include 15 High severity vulnerabilities, along with 5 Medium risk ones. Elevation of privilege vulnerabilities were the most common bugs resolved this month, Google’s advisory reveals. Numerous flaws were addressed in Mediaserver, a vulnerable component that Google re-architected in Android 7.0.

The update patches 11 Elevation of privilege vulnerabilities in ServiceManager, Lock Settings Service, Mediaserver, Zygote process, framework APIs, Telephony, Camera service, and fingerprint login; three Denial of service bugs in Wi-Fi, GPS, and Mediaserver; and one Information disclosure vulnerability in AOSP Mail, all rated High risk.

The Medium severity issues addressed this month include three Elevation of privilege bugs in Framework Listener, Telephony, and Accessibility services, one Information disclosure vulnerability in Mediaserver, and one Denial of service vulnerability in Wi-Fi.

The 2016-10-05 security patch level addresses 6 vulnerabilities of Critical severity, 32 flaws rated High severity, 19 rated Medium risk, and one Low severity flaw. As in the past several months, Qualcomm components were most affected.

The Critical severity flaws addressed in the second part of the October 2016 Android Security Bulletin include Remote code execution bugs in kernel ASN.1 decoder and kernel networking subsystem, along with Elevation of privilege vulnerabilities in MediaTek video driver and kernel shared memory driver, and vulnerabilities affecting Qualcomm components.

Among the 32 High risk flaws resolved this month, we can count issues in Qualcomm components; Elevation of privilege bugs in Qualcomm networking component, NVIDIA drivers (MMC test, camera), Mediaserver, Qualcomm drivers (Secure Execution Environment Communicator, camera, sound, crypto engine, video, Wi-Fi), MediaTek video driver, Synaptics touchscreen driver, system_server, and kernel performance subsystem; and Information disclosure vulnerabilities in kernel ION subsystem and NVIDIA GPU driver.

Advertisement. Scroll to continue reading.

The 19 Moderate risk issues include an Elevation of privilege vulnerability in Qualcomm character driver; Information disclosure flaws in Qualcomm sound driver, Motorola USBNet driver, Qualcomm components, kernel components, NVIDIA profiler, and kernel; a Denial of service bug in kernel networking subsystem; and vulnerabilities in Qualcomm components. The Low risk flaw is a Denial of service vulnerability in kernel sound driver.

Not all of the vulnerabilities addressed in the 2016-10-05 security patch level affect all Nexus devices and some of them affect no Nexus model. Because the security bulletin was split in two, manufacturers have the flexibility to fix vulnerabilities that are similar across Android devices faster than before, but Google encourages them to resolve all bugs in this bulletin.

Related: Google Patches QuadRooter, Other Critical Android Vulnerabilities

Related: Google Patches Tens of Critical Vulnerabilities in Android

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.