Huge double boxset of Android patches lands after Qualcomm disk encryption blown open

What a coincidence


Google has released two bundles of Android security patches this month: a smaller one to handle bugs in the operating system, and a larger package that tackles a raft of driver-level issues, particularly with Qualcomm's hardware.

The first tranche of patches includes eight critical, 11 high severity, and nine fixes that are considered moderate. All but one of the critical patches are for Android's soon-to-be redesigned Mediaserver, along with seven high-severity fixes and three moderates.

As ever, people have found new ways to corrupt and hijack Mediaserver using booby-trapped video files and multimedia messages. Opening a malicious vid could lead to full remote code execution on Android devices from version 4.4.4 up to the most recent build.

The other critical fix covers a flaw in OpenSSL and Google's stripped-down software fork BoringSSL. These libraries also suffer from memory corruption bugs that can be potentially exploited to execute code on vulnerable devices.

Other issues of high importance in the update include a fix on the way Android handles Bluetooth communications that would allow an attacker to inject and run code on a nearby device when performing an initial pairing with a new person. Below is the full flaw list.

Issue CVE Severity Affects Nexus?
Remote code execution vulnerability in Mediaserver CVE-2016-2506, CVE-2016-2505, CVE-2016-2507, CVE-2016-2508, CVE-2016-3741, CVE-2016-3742, CVE-2016-3743 Critical Yes
Remote code execution vulnerability in OpenSSL & BoringSSL CVE-2016-2108 Critical Yes
Remote code execution vulnerability in Bluetooth CVE-2016-3744 High Yes
Elevation of privilege vulnerability in libpng CVE-2016-3751 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2016-3745, CVE-2016-3746, CVE-2016-3747 High Yes
Elevation of privilege vulnerability in sockets CVE-2016-3748 High Yes
Elevation of privilege vulnerability in LockSettingsService CVE-2016-3749 High Yes
Elevation of privilege vulnerability in Framework APIs CVE-2016-3750 High Yes
Elevation of privilege vulnerability in ChooserTarget service CVE-2016-3752 High Yes
Information disclosure vulnerability in Mediaserver CVE-2016-3753 High No*
Information disclosure vulnerability in OpenSSL CVE-2016-2107 High No*
Denial of service vulnerability in Mediaserver CVE-2016-3754, CVE-2016-3755, CVE-2016-3756 High Yes
Denial of service vulnerability in libc CVE-2016-3818 High No*
Elevation of privilege vulnerability in lsof CVE-2016-3757 Moderate Yes
Elevation of privilege vulnerability in DexClassLoader CVE-2016-3758 Moderate Yes
Elevation of privilege vulnerability in Framework APIs CVE-2016-3759 Moderate Yes
Elevation of privilege vulnerability in Bluetooth CVE-2016-3760 Moderate Yes
Elevation of privilege vulnerability in NFC CVE-2016-3761 Moderate Yes
Elevation of privilege vulnerability in sockets CVE-2016-3762 Moderate Yes
Information disclosure vulnerability in Proxy Auto-Config CVE-2016-3763 Moderate Yes
Information disclosure vulnerability in Mediaserver CVE-2016-3764, CVE-2016-3765 Moderate Yes
Denial of service vulnerability in Mediaserver CVE-2016-3766 Moderate Yes

But wait, there's more

So far, so Google. The patch bundle is in line with other monthly patching packages from the Chocolate Factory. If you have a Google Nexus device, you'll get your hands on these fixes soon enough over the air automatically. If not, you may well have to wait a while for your device manufacturer and mobile carrier to push these updates to you – if they ever appear.

Meanwhile, Google is issuing a second string of patches that aren't going on general release: they'll be pushed out to Nexus owners and to hardware manufacturers who are expected to then pass on the updates to their customers.

This second set is a much larger tranche of code, including 12 critical fixes, 54 rated high severity, and nine moderates. Google said the second patch bundle will "provide Android partners with the flexibility to move more quickly to fix a subset of vulnerabilities that are similar across all Android devices."

What could this subset of vulnerabilities be? The list of fixes contains some interesting hints. Last week, security researcher Gal Beniamini found a way to defeat Android's full-disk encryption system using blunders in Qualcomm's KeyMaster cryptography program. The design flaws can be potentially exploited by someone who has seized your device to unlock and decrypt your encrypted file system with brute force.

Google and Qualcomm said the problem was fixed in patches issued in January and May, and Mountain View paid Beniamini a bug bounty for his find. But the researcher pointed out that other flaws hiding within Android, particularly elevation of privilege bugs, could be found and exploited to break the encryption system again.

So it's interesting that this secondary bundle includes fixes for 40 flaws with Qualcomm components – more than half of the total, and pretty much all of them are escalation-of-privilege holes. If you were emitting a set of fixes to shore up devices against KeyMaster-based attacks, it would probably look a lot like this one.

The first two critical patches on the list are for the Qualcomm GPU drivers in Nexus 5X, 6, and 6P, to fix an elevation of privilege vulnerability that would allow an attacker to "execute arbitrary code within the context of the kernel." There are another 36 Qualcomm high- and moderate-severity flaw fixes included in the release.

All Nexus devices get a critical patch for an elevation of privilege vulnerability in the Android kernel file system that would have the same effect. Nexus 5 and 7 devices also get critical fixes for security vulnerabilities affecting Qualcomm components including the bootloader, camera, character, networking, sound, and video drivers.

There are also six critical patches for the Android One operating system, used by its basic device range. They fix flaws in the MediaTek Wi-Fi driver and other parts of the supplier's kit that would compromise the kernel and lead to the device having to be wiped to recover.

The full list is below. ®

Issue CVE Severity Affects Nexus?
Elevation of privilege vulnerability in Qualcomm GPU driver (Device specific) CVE-2016-2503, CVE-2016-2067 Critical Yes
Elevation of privilege vulnerability in MediaTek Wi-Fi driver (Device specific) CVE-2016-3767 Critical Yes
Elevation of privilege vulnerability in Qualcomm performance component (Device specific) CVE-2016-3768 Critical Yes
Elevation of privilege vulnerability in NVIDIA video driver (Device specific) CVE-2016-3769 Critical Yes
Elevation of privilege vulnerability in MediaTek drivers (Device specific) CVE-2016-3770, CVE-2016-3771, CVE-2016-3772, CVE-2016-3773, CVE-2016-3774 Critical Yes
Elevation of privilege vulnerability in kernel file system (Device specific) CVE-2016-3775 Critical Yes
Elevation of privilege vulnerability in USB driver (Device specific) CVE-2015-8816 Critical Yes
Elevation of privilege vulnerability in Qualcomm components (Device specific) CVE-2014-9794, CVE-2014-9795, CVE-2015-8892, CVE-2013-7457, CVE-2014-9781, CVE-2014-9786, CVE-2014-9788, CVE-2014-9779, CVE-2014-9780, CVE-2014-9789, CVE-2014-9793, CVE-2014-9782, CVE-2014-9783, CVE-2014-9785, CVE-2014-9787, CVE-2014-9784, CVE-2014-9777, CVE-2014-9778, CVE-2014-9790, CVE-2014-9792, CVE-2014-9797, CVE-2014-9791, CVE-2014-9796, CVE-2014-9800, CVE-2014-9799, CVE-2014-9801, CVE-2014-9802, CVE-2015-8891, CVE-2015-8888, CVE-2015-8889, CVE-2015-8890 High Yes
Elevation of privilege vulnerability in Qualcomm USB driver (Device specific) CVE-2016-2502 High Yes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver (Device specific) CVE-2016-3792 High Yes
Elevation of privilege vulnerability in Qualcomm camera driver (Device specific) CVE-2016-2501 High Yes
Elevation of privilege vulnerability in NVIDIA camera driver (Device specific) CVE-2016-3793, CVE-2016-3794 High Yes
Elevation of privilege vulnerability in MediaTek power driver (Device specific) CVE-2016-3795, CVE-2016-3796 High Yes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver (Device specific) CVE-2016-3797 High Yes
Elevation of privilege vulnerability in MediaTek hardware sensor driver (Device specific) CVE-2016-3798 High Yes
Elevation of privilege vulnerability in MediaTek video driver (Device specific) CVE-2016-3799, CVE-2016-3800 High Yes
Elevation of privilege vulnerability in MediaTek GPS driver (Device specific) CVE-2016-3801 High Yes
Elevation of privilege vulnerability in kernel file system (Device specific) CVE-2016-3802, CVE-2016-3803 High Yes
Elevation of privilege vulnerability in MediaTek power management driver (Device specific) CVE-2016-3804, CVE-2016-3805 High Yes
Elevation of privilege vulnerability in MediaTek display driver (Device specific) CVE-2016-3806 High Yes
Elevation of privilege vulnerability in serial peripheral interface driver (Device specific) CVE-2016-3807, CVE-2016-3808 High Yes
Elevation of privilege vulnerability in Qualcomm sound driver (Device specific) CVE-2016-2068 High Yes
Elevation of privilege vulnerability in kernel (Device specific) CVE-2014-9803 High Yes
Information disclosure vulnerability in networking component (Device specific) CVE-2016-3809 High Yes
Information disclosure vulnerability in MediaTek Wi-Fi driver (Device specific) CVE-2016-3810 High Yes
Elevation of privilege vulnerability in kernel video driver (Device specific) CVE-2016-3811 Moderate Yes
Information disclosure vulnerability in MediaTek video codec driver (Device specific) CVE-2016-3812 Moderate Yes
Information disclosure vulnerability in Qualcomm USB driver (Device specific) CVE-2016-3813 Moderate Yes
Information disclosure vulnerability in NVIDIA camera driver (Device specific) CVE-2016-3814, CVE-2016-3815 Moderate Yes
Information disclosure vulnerability in MediaTek display driver (Device specific) CVE-2016-3816 Moderate Yes
Information disclosure vulnerability in kernel teletype driver (Device specific) CVE-2016-0723 Moderate Yes
Denial of service vulnerability in Qualcomm bootloader (Device specific) CVE-2014-9798, CVE-2015-8893 Moderate Yes

Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading

Biting the hand that feeds IT © 1998–2022