Google on Monday announced new security patches for the Android operating system, focusing mainly on resolving a series of critical bugs in drivers, some that had been reported years ago.
Last month, Google split the monthly Android patches in two parts, one focused on resolving issues within the platform itself, and the other focused on drivers and other components. This month, the latter focuses on flaws that have been largely ignored until now: 81 vulnerabilities affecting drivers and components, most of which were reported in 2014.
The first part of the monthly updates resolve 22 vulnerabilities in Android, including 3 Critical bugs in Mediaserver and 10 High severity and 9 Medium risk bugs in other components. Ever since Google first started issuing monthly patches a year ago, the Mediaserver component has constantly received fixes for numerous vulnerabilities, a trend that could continue.
The August 2016 Android security bulletin resolves three Remote Code Execution (RCE) flaws (CVE-2016-3819, CVE-2016-3820, and CVE-2016-3821) in Mediaserver, which could be triggered using a specially crafted file. The bugs affect Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1 versions and can be exploited via multiple applications, including messaging apps and browsers and are resolved on devices with security patch levels of 2016-08-01 or later.
Of the 10 High severity bugs resolved this month, one RCE bug was found in libjhead (CVE-2016-3822), one Denial of service (DoS) in system clock (CVE-2016-3831), and eight issues were discovered in Mediaserver, namely four Elevation of Privilege (EoP) bugs (CVE-2016-3823, CVE-2016-3824, CVE-2016-3825, CVE-2016-3826) and four DoS flaws (CVE-2016-3827, CVE-2016-3828, CVE-2016-3829, CVE-2016-3830). All of these vulnerabilities affect Android 4.4.4 to 6.0.1, Google’s security advisory reveals.
The remaining 9 Medium risk issues included an EoP in framework APIs, an EoP in Shell, Information disclosure bugs in OpenSSL, camera APIs, Mediaserver, SurfaceFlinger and Wi-Fi, and DoS flaws in system UI and Bluetooth. Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1 releases are affected.
The same as last month, Qualcomm components received the most patches in Google’s new security updates. These included 36 EoP flaws (one Critical – CVE-2014-9863, 33 High risk, and 2 Moderate), 10 information disclosure bugs (2 High and 8 Moderate risk), 2 Critical EoPs in GPU driver, one Critical RCE in Wi-Fi driver (CVE-2014-9902), one Critical EoP in performance component, one High risk EoP in bootloader, one High risk DoS, and three other flaws, also considered High severity.
Security patch levels of 2016-08-05 or later resolve these vulnerabilities, as well as multiple other flaws, including a Critical RCE in Conscrypt, and two Critical EoPs in the kernel and in kernel networking components. High severity EoPs in kernel memory system, kernel sound component, kernel file system, Mediaserver, kernel video driver, Serial Peripheral Interface driver, NVIDIA media driver, ION driver, kernel performance subsystem, and LG Electronics bootloader were also patched.
Google also resolved High severity Information disclosure vulnerabilities in kernel scheduler, MediaTek Wi-Fi driver, and USB driver, along with Medium risk EoPs in Google Play services and Framework APIs, and Information disclosure vulnerabilities in kernel networking component and kernel sound component.
The majority of the vulnerabilities affecting the various Qualcomm components were reported in 2014, while many others were reported last year. Only some of them were reported this year. However, many of the flaws impacting other Android components were also two-year old bugs that haven’t been patched so far, despite some being critical.