Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Patches Tens of Critical Vulnerabilities in Android

Google on Monday announced new security patches for the Android operating system, focusing mainly on resolving a series of critical bugs in drivers, some that had been reported years ago.

Google on Monday announced new security patches for the Android operating system, focusing mainly on resolving a series of critical bugs in drivers, some that had been reported years ago.

Last month, Google split the monthly Android patches in two parts, one focused on resolving issues within the platform itself, and the other focused on drivers and other components. This month, the latter focuses on flaws that have been largely ignored until now: 81 vulnerabilities affecting drivers and components, most of which were reported in 2014.

The first part of the monthly updates resolve 22 vulnerabilities in Android, including 3 Critical bugs in Mediaserver and 10 High severity and 9 Medium risk bugs in other components. Ever since Google first started issuing monthly patches a year ago, the Mediaserver component has constantly received fixes for numerous vulnerabilities, a trend that could continue.

The August 2016 Android security bulletin resolves three Remote Code Execution (RCE) flaws (CVE-2016-3819, CVE-2016-3820, and CVE-2016-3821) in Mediaserver, which could be triggered using a specially crafted file. The bugs affect Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1 versions and can be exploited via multiple applications, including messaging apps and browsers and are resolved on devices with security patch levels of 2016-08-01 or later.

Of the 10 High severity bugs resolved this month, one RCE bug was found in libjhead (CVE-2016-3822), one Denial of service (DoS) in system clock (CVE-2016-3831), and eight issues were discovered in Mediaserver, namely four Elevation of Privilege (EoP) bugs (CVE-2016-3823, CVE-2016-3824, CVE-2016-3825, CVE-2016-3826) and four DoS flaws (CVE-2016-3827, CVE-2016-3828, CVE-2016-3829, CVE-2016-3830). All of these vulnerabilities affect Android 4.4.4 to 6.0.1, Google’s security advisory reveals.

The remaining 9 Medium risk issues included an EoP in framework APIs, an EoP in Shell, Information disclosure bugs in OpenSSL, camera APIs, Mediaserver, SurfaceFlinger and Wi-Fi, and DoS flaws in system UI and Bluetooth. Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1 releases are affected.

The same as last month, Qualcomm components received the most patches in Google’s new security updates. These included 36 EoP flaws (one Critical – CVE-2014-9863, 33 High risk, and 2 Moderate), 10 information disclosure bugs (2 High and 8 Moderate risk), 2 Critical EoPs in GPU driver, one Critical RCE in Wi-Fi driver (CVE-2014-9902), one Critical EoP in performance component, one High risk EoP in bootloader, one High risk DoS, and three other flaws, also considered High severity.

Security patch levels of 2016-08-05 or later resolve these vulnerabilities, as well as multiple other flaws, including a Critical RCE in Conscrypt, and two Critical EoPs in the kernel and in kernel networking components. High severity EoPs in kernel memory system, kernel sound component, kernel file system, Mediaserver, kernel video driver, Serial Peripheral Interface driver, NVIDIA media driver, ION driver, kernel performance subsystem, and LG Electronics bootloader were also patched.

Advertisement. Scroll to continue reading.

Google also resolved High severity Information disclosure vulnerabilities in kernel scheduler, MediaTek Wi-Fi driver, and USB driver, along with Medium risk EoPs in Google Play services and Framework APIs, and Information disclosure vulnerabilities in kernel networking component and kernel sound component.

The majority of the vulnerabilities affecting the various Qualcomm components were reported in 2014, while many others were reported last year. Only some of them were reported this year. However, many of the flaws impacting other Android components were also two-year old bugs that haven’t been patched so far, despite some being critical.

Related: Overwhelming Majority of Android Devices Don’t Have Latest Security Patches

Related: Google Patches Stagefright 2.0 Flaws on Nexus Devices

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.