Huge double boxset of Android patches lands after Qualcomm disk encryption blown open

Google has released two bundles of Android security patches this month: a smaller one to handle bugs in the operating system, and a larger package that tackles a raft of driver-level issues, particularly with Qualcomm's hardware.

The first tranche of patches includes eight critical, 11 high severity, and nine fixes that are considered moderate. All but one of the critical patches are for Android's soon-to-be redesigned Mediaserver, along with seven high-severity fixes and three moderates.

As ever, people have found new ways to corrupt and hijack Mediaserver using booby-trapped video files and multimedia messages. Opening a malicious vid could lead to full remote code execution on Android devices from version 4.4.4 up to the most recent build.

The other critical fix covers a flaw in OpenSSL and Google's stripped-down software fork BoringSSL. These libraries also suffer from memory corruption bugs that can be potentially exploited to execute code on vulnerable devices.

Other issues of high importance in the update include a fix on the way Android handles Bluetooth communications that would allow an attacker to inject and run code on a nearby device when performing an initial pairing with a new person. Below is the full flaw list.

Issue	CVE	Severity	Affects Nexus?
Remote code execution vulnerability in Mediaserver	CVE-2016-2506, CVE-2016-2505, CVE-2016-2507, CVE-2016-2508, CVE-2016-3741, CVE-2016-3742, CVE-2016-3743	Critical	Yes
Remote code execution vulnerability in OpenSSL & BoringSSL	CVE-2016-2108	Critical	Yes
Remote code execution vulnerability in Bluetooth	CVE-2016-3744	High	Yes
Elevation of privilege vulnerability in libpng	CVE-2016-3751	High	Yes
Elevation of privilege vulnerability in Mediaserver	CVE-2016-3745, CVE-2016-3746, CVE-2016-3747	High	Yes
Elevation of privilege vulnerability in sockets	CVE-2016-3748	High	Yes
Elevation of privilege vulnerability in LockSettingsService	CVE-2016-3749	High	Yes
Elevation of privilege vulnerability in Framework APIs	CVE-2016-3750	High	Yes
Elevation of privilege vulnerability in ChooserTarget service	CVE-2016-3752	High	Yes
Information disclosure vulnerability in Mediaserver	CVE-2016-3753	High	No*
Information disclosure vulnerability in OpenSSL	CVE-2016-2107	High	No*
Denial of service vulnerability in Mediaserver	CVE-2016-3754, CVE-2016-3755, CVE-2016-3756	High	Yes
Denial of service vulnerability in libc	CVE-2016-3818	High	No*
Elevation of privilege vulnerability in lsof	CVE-2016-3757	Moderate	Yes
Elevation of privilege vulnerability in DexClassLoader	CVE-2016-3758	Moderate	Yes
Elevation of privilege vulnerability in Framework APIs	CVE-2016-3759	Moderate	Yes
Elevation of privilege vulnerability in Bluetooth	CVE-2016-3760	Moderate	Yes
Elevation of privilege vulnerability in NFC	CVE-2016-3761	Moderate	Yes
Elevation of privilege vulnerability in sockets	CVE-2016-3762	Moderate	Yes
Information disclosure vulnerability in Proxy Auto-Config	CVE-2016-3763	Moderate	Yes
Information disclosure vulnerability in Mediaserver	CVE-2016-3764, CVE-2016-3765	Moderate	Yes
Denial of service vulnerability in Mediaserver	CVE-2016-3766	Moderate	Yes

But wait, there's more

So far, so Google. The patch bundle is in line with other monthly patching packages from the Chocolate Factory. If you have a Google Nexus device, you'll get your hands on these fixes soon enough over the air automatically. If not, you may well have to wait a while for your device manufacturer and mobile carrier to push these updates to you – if they ever appear.

Meanwhile, Google is issuing a second string of patches that aren't going on general release: they'll be pushed out to Nexus owners and to hardware manufacturers who are expected to then pass on the updates to their customers.

This second set is a much larger tranche of code, including 12 critical fixes, 54 rated high severity, and nine moderates. Google said the second patch bundle will "provide Android partners with the flexibility to move more quickly to fix a subset of vulnerabilities that are similar across all Android devices."

What could this subset of vulnerabilities be? The list of fixes contains some interesting hints. Last week, security researcher Gal Beniamini found a way to defeat Android's full-disk encryption system using blunders in Qualcomm's KeyMaster cryptography program. The design flaws can be potentially exploited by someone who has seized your device to unlock and decrypt your encrypted file system with brute force.

Google and Qualcomm said the problem was fixed in patches issued in January and May, and Mountain View paid Beniamini a bug bounty for his find. But the researcher pointed out that other flaws hiding within Android, particularly elevation of privilege bugs, could be found and exploited to break the encryption system again.

So it's interesting that this secondary bundle includes fixes for 40 flaws with Qualcomm components – more than half of the total, and pretty much all of them are escalation-of-privilege holes. If you were emitting a set of fixes to shore up devices against KeyMaster-based attacks, it would probably look a lot like this one.

The first two critical patches on the list are for the Qualcomm GPU drivers in Nexus 5X, 6, and 6P, to fix an elevation of privilege vulnerability that would allow an attacker to "execute arbitrary code within the context of the kernel." There are another 36 Qualcomm high- and moderate-severity flaw fixes included in the release.

All Nexus devices get a critical patch for an elevation of privilege vulnerability in the Android kernel file system that would have the same effect. Nexus 5 and 7 devices also get critical fixes for security vulnerabilities affecting Qualcomm components including the bootloader, camera, character, networking, sound, and video drivers.

There are also six critical patches for the Android One operating system, used by its basic device range. They fix flaws in the MediaTek Wi-Fi driver and other parts of the supplier's kit that would compromise the kernel and lead to the device having to be wiped to recover.

The full list is below. ®

Issue	CVE	Severity	Affects Nexus?
Elevation of privilege vulnerability in Qualcomm GPU driver (Device specific)	CVE-2016-2503, CVE-2016-2067	Critical	Yes
Elevation of privilege vulnerability in MediaTek Wi-Fi driver (Device specific)	CVE-2016-3767	Critical	Yes
Elevation of privilege vulnerability in Qualcomm performance component (Device specific)	CVE-2016-3768	Critical	Yes
Elevation of privilege vulnerability in NVIDIA video driver (Device specific)	CVE-2016-3769	Critical	Yes
Elevation of privilege vulnerability in MediaTek drivers (Device specific)	CVE-2016-3770, CVE-2016-3771, CVE-2016-3772, CVE-2016-3773, CVE-2016-3774	Critical	Yes
Elevation of privilege vulnerability in kernel file system (Device specific)	CVE-2016-3775	Critical	Yes
Elevation of privilege vulnerability in USB driver (Device specific)	CVE-2015-8816	Critical	Yes
Elevation of privilege vulnerability in Qualcomm components (Device specific)	CVE-2014-9794, CVE-2014-9795, CVE-2015-8892, CVE-2013-7457, CVE-2014-9781, CVE-2014-9786, CVE-2014-9788, CVE-2014-9779, CVE-2014-9780, CVE-2014-9789, CVE-2014-9793, CVE-2014-9782, CVE-2014-9783, CVE-2014-9785, CVE-2014-9787, CVE-2014-9784, CVE-2014-9777, CVE-2014-9778, CVE-2014-9790, CVE-2014-9792, CVE-2014-9797, CVE-2014-9791, CVE-2014-9796, CVE-2014-9800, CVE-2014-9799, CVE-2014-9801, CVE-2014-9802, CVE-2015-8891, CVE-2015-8888, CVE-2015-8889, CVE-2015-8890	High	Yes
Elevation of privilege vulnerability in Qualcomm USB driver (Device specific)	CVE-2016-2502	High	Yes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver (Device specific)	CVE-2016-3792	High	Yes
Elevation of privilege vulnerability in Qualcomm camera driver (Device specific)	CVE-2016-2501	High	Yes
Elevation of privilege vulnerability in NVIDIA camera driver (Device specific)	CVE-2016-3793, CVE-2016-3794	High	Yes
Elevation of privilege vulnerability in MediaTek power driver (Device specific)	CVE-2016-3795, CVE-2016-3796	High	Yes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver (Device specific)	CVE-2016-3797	High	Yes
Elevation of privilege vulnerability in MediaTek hardware sensor driver (Device specific)	CVE-2016-3798	High	Yes
Elevation of privilege vulnerability in MediaTek video driver (Device specific)	CVE-2016-3799, CVE-2016-3800	High	Yes
Elevation of privilege vulnerability in MediaTek GPS driver (Device specific)	CVE-2016-3801	High	Yes
Elevation of privilege vulnerability in kernel file system (Device specific)	CVE-2016-3802, CVE-2016-3803	High	Yes
Elevation of privilege vulnerability in MediaTek power management driver (Device specific)	CVE-2016-3804, CVE-2016-3805	High	Yes
Elevation of privilege vulnerability in MediaTek display driver (Device specific)	CVE-2016-3806	High	Yes
Elevation of privilege vulnerability in serial peripheral interface driver (Device specific)	CVE-2016-3807, CVE-2016-3808	High	Yes
Elevation of privilege vulnerability in Qualcomm sound driver (Device specific)	CVE-2016-2068	High	Yes
Elevation of privilege vulnerability in kernel (Device specific)	CVE-2014-9803	High	Yes
Information disclosure vulnerability in networking component (Device specific)	CVE-2016-3809	High	Yes
Information disclosure vulnerability in MediaTek Wi-Fi driver (Device specific)	CVE-2016-3810	High	Yes
Elevation of privilege vulnerability in kernel video driver (Device specific)	CVE-2016-3811	Moderate	Yes
Information disclosure vulnerability in MediaTek video codec driver (Device specific)	CVE-2016-3812	Moderate	Yes
Information disclosure vulnerability in Qualcomm USB driver (Device specific)	CVE-2016-3813	Moderate	Yes
Information disclosure vulnerability in NVIDIA camera driver (Device specific)	CVE-2016-3814, CVE-2016-3815	Moderate	Yes
Information disclosure vulnerability in MediaTek display driver (Device specific)	CVE-2016-3816	Moderate	Yes
Information disclosure vulnerability in kernel teletype driver (Device specific)	CVE-2016-0723	Moderate	Yes
Denial of service vulnerability in Qualcomm bootloader (Device specific)	CVE-2014-9798, CVE-2015-8893	Moderate	Yes