Android gets larger-than-usual patch bundle as researchers get to work

Monthly update goes out to Nexus owners, a few others


As a further sign that researchers are getting serious about finding holes in Android operating systems, Google has released one of its biggest ever monthly patch bundles, with 39 flaws fixed.

"The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," the update states. "There have been no reports of active customer exploitation or abuse of the other newly reported issues."

Of the 15 critical patches, eight cover mediaserver and Android's media center that are the hub of all music, messaging and video content users download. All allow remote code execution and this is the second month in a row of multiple patches for media handling, with a host of high and moderate fixes as well in this update.

The effects of Stagefright, the bug that prompted Google on the path of monthly updates – and the odd out-of-band patch – also linger. There's another critical patch that allows outsiders to install their own code on devices.

The Qualcomm Performance Module continued to give Android headaches, getting its third critical patch in three months. The company's RF component also needs an urgent fix.

A larger number of patches cover Android, oldest-supported 4.4 but there are plenty in newer versions too, particularly the most recent builds, and you can get the full list below:

Issue CVE Severity
Remote Code Execution Vulnerability in Mediaserver CVE-2016-0835

CVE-2016-0836

CVE-2016-0837

CVE-2016-0838

CVE-2016-0839

CVE-2016-0840

CVE-2016-0841

Critical
Remote Code Execution Vulnerability in Media Codec CVE-2016-0834 Critical
Remote Code Execution Vulnerability in libstagefright CVE-2016-0842 Critical
Elevation of Privilege Vulnerability in the Qualcomm Performance Component CVE-2016-0843 Critical
Elevation of Privilege Vulnerability in Qualcomm RF Component CVE-2016-0844 Critical
Elevation of Privilege Vulnerability in Kernel CVE-2016-1805

CVE-2016-9322

Critical
Remote Code Execution Vulnerability in DHCPCD CVE-2016-1503

CVE-2014-6060

Critical
Elevation of Privilege Vulnerability in IMemory Native Interface CVE-2016-0846 High
Elevation of Privilege Vulnerability in Telecom Component CVE-2016-0847 High
Elevation of Privilege Vulnerability in Download Manager CVE-2016-0848 High
Elevation of Privilege Vulnerability in Recovery Procedure CVE-2016-0849 High
Elevation of Privilege Vulnerability in Bluetooth CVE-2016-0850 High
Elevation of Privilege Vulnerability in Texas Instruments Haptic Driver CVE-2016-2409 High
Elevation of Privilege Vulnerability in a Video Kernel Driver CVE-2016-2410 High
Elevation of Privilege Vulnerability in Qualcomm Power Management Component CVE-2016-2411 High
Elevation of Privilege Vulnerability in System_server CVE-2016-2412 High
Elevation of Privilege Vulnerability in Mediaserver CVE-2016-2413 High
Denial of Service Vulnerability in Minikin CVE-2016-2414 High
Information Disclosure Vulnerability in Exchange ActiveSync CVE-2016-2415 High
Information Disclosure Vulnerability in Mediaserver CVE-2016-2416

CVE-2016-2417

CVE-2016-2418

CVE-2016-2419

High
Elevation of Privilege Vulnerability in Debuggerd Component CVE-2016-2420 Moderate
Elevation of Privilege Vulnerability in Setup Wizard CVE-2016-2421 Moderate
Elevation of Privilege Vulnerability in Wi-Fi CVE-2016-2422 Moderate
Elevation of Privilege Vulnerability in Telephony CVE-2016-2423 Moderate
Denial of Service Vulnerability in SyncStorageEngine CVE-2016-2424 Moderate
Information Disclosure Vulnerability in AOSP Mail CVE-2016-2425 Moderate
Information Disclosure Vulnerability in Framework CVE-2016-2426 Moderate
Information Disclosure Vulnerability in BouncyCastle CVE-2016-2427 Moderate

Judging from the size of the patch bundle, and the large and varied list of vulnerability contributors outside of the Chocolate Factory, it looks as though the Security Rewards scheme Google announced last July is paying dividends.

Researchers can earn up to $2,000 for a critical Android bug, but quadruple that if they also include a compatibility test suite to detect it, and a patch. But Google pays more for the big issues, as do others, and there's now a growing market of people making serious bounty money.

A regrettable number of Nexus owners tend to get rather smug on Android patching day, since they get the patches automatically. Those using other manufacturers' kit will have to wait and see. Samsung, LG are silent on the matter, although Blackphone users will probably be sorted out fastest of the non-Google phones. ®

Similar topics


Other stories you might like

  • Ubuntu 21.10: Plan to do yourself an Indri? Here's what's inside... including a bit of GNOME schooling

    Plus: Rounded corners make GNOME 40 look like Windows 11

    Review Canonical has released Ubuntu 21.10, or "Impish Indri" as this one is known. This is the last major version before next year's long-term support release of Ubuntu 22.04, and serves as a good preview of some of the changes coming for those who stick with LTS releases.

    If you prefer to run the latest and greatest, 21.10 is a solid release with a new kernel, a major GNOME update, and some theming changes. As a short-term support release, Ubuntu 21.10 will be supported for nine months, which covers you until July 2022, by which point 22.04 will already be out.

    Continue reading
  • Heart FM's borkfast show – a fine way to start your day

    Jamie and Amanda have a new co-presenter to contend with

    There can be few things worse than Microsoft Windows elbowing itself into a presenting partnership, as seen in this digital signage for the Heart breakfast show.

    For those unfamiliar with the station, Heart is a UK national broadcaster with Global as its parent. It currently consists of a dozen or so regional stations with a number of shows broadcast nationally. Including a perky breakfast show featuring former Live and Kicking presenter Jamie Theakston and Britain's Got Talent judge, Amanda Holden.

    Continue reading
  • Think your phone is snooping on you? Hold my beer, says basic physics

    Information wants to be free, and it's making its escape

    Opinion Forget the Singularity. That modern myth where AI learns to improve itself in an exponential feedback loop towards evil godhood ain't gonna happen. Spacetime itself sets hard limits on how fast information can be gathered and processed, no matter how clever you are.

    What we should expect in its place is the robot panopticon, a relatively dumb system with near-divine powers of perception. That's something the same laws of physics that prevent the Godbot practically guarantee. The latest foreshadowing of mankind's fate? The Ethernet cable.

    By itself, last week's story of a researcher picking up and decoding the unintended wireless emissions of an Ethernet cable is mildly interesting. It was the most labby of lab-based demos, with every possible tweak applied to maximise the chances of it working. It's not even as if it's a new discovery. The effect and its security implications have been known since the Second World War, when Bell Labs demonstrated to the US Army that a wired teleprinter encoder called SIGTOT was vulnerable. It could be monitored at a distance and the unencrypted messages extracted by the radio pulses it gave off in operation.

    Continue reading

Biting the hand that feeds IT © 1998–2021