Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Patches 78 Vulnerabilities in Android

Google this week released another set of monthly patches for the Android mobile operating system, in an attempt to address no less than 78 security vulnerabilities.

Google this week released another set of monthly patches for the Android mobile operating system, in an attempt to address no less than 78 security vulnerabilities.

Just as it has over the past few months, Google split the October 2016 security patches in two, each focused on specific issues. The 2016-10-01 security patch level addresses 20 vulnerabilities in various platform components, while the 2016-10-05 security patch level plugs 58 flaws in kernel subsystems, drivers, and OEM components.

The 20 issues resolved with the 2016-10-01 security patch level affect all Nexus devices and include 15 High severity vulnerabilities, along with 5 Medium risk ones. Elevation of privilege vulnerabilities were the most common bugs resolved this month, Google’s advisory reveals. Numerous flaws were addressed in Mediaserver, a vulnerable component that Google re-architected in Android 7.0.

The update patches 11 Elevation of privilege vulnerabilities in ServiceManager, Lock Settings Service, Mediaserver, Zygote process, framework APIs, Telephony, Camera service, and fingerprint login; three Denial of service bugs in Wi-Fi, GPS, and Mediaserver; and one Information disclosure vulnerability in AOSP Mail, all rated High risk.

The Medium severity issues addressed this month include three Elevation of privilege bugs in Framework Listener, Telephony, and Accessibility services, one Information disclosure vulnerability in Mediaserver, and one Denial of service vulnerability in Wi-Fi.

The 2016-10-05 security patch level addresses 6 vulnerabilities of Critical severity, 32 flaws rated High severity, 19 rated Medium risk, and one Low severity flaw. As in the past several months, Qualcomm components were most affected.

The Critical severity flaws addressed in the second part of the October 2016 Android Security Bulletin include Remote code execution bugs in kernel ASN.1 decoder and kernel networking subsystem, along with Elevation of privilege vulnerabilities in MediaTek video driver and kernel shared memory driver, and vulnerabilities affecting Qualcomm components.

Among the 32 High risk flaws resolved this month, we can count issues in Qualcomm components; Elevation of privilege bugs in Qualcomm networking component, NVIDIA drivers (MMC test, camera), Mediaserver, Qualcomm drivers (Secure Execution Environment Communicator, camera, sound, crypto engine, video, Wi-Fi), MediaTek video driver, Synaptics touchscreen driver, system_server, and kernel performance subsystem; and Information disclosure vulnerabilities in kernel ION subsystem and NVIDIA GPU driver.

The 19 Moderate risk issues include an Elevation of privilege vulnerability in Qualcomm character driver; Information disclosure flaws in Qualcomm sound driver, Motorola USBNet driver, Qualcomm components, kernel components, NVIDIA profiler, and kernel; a Denial of service bug in kernel networking subsystem; and vulnerabilities in Qualcomm components. The Low risk flaw is a Denial of service vulnerability in kernel sound driver.

Not all of the vulnerabilities addressed in the 2016-10-05 security patch level affect all Nexus devices and some of them affect no Nexus model. Because the security bulletin was split in two, manufacturers have the flexibility to fix vulnerabilities that are similar across Android devices faster than before, but Google encourages them to resolve all bugs in this bulletin.

Related: Google Patches QuadRooter, Other Critical Android Vulnerabilities

Related: Google Patches Tens of Critical Vulnerabilities in Android

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.