Google Patches Android Holes

Friday, November 11, 2016 @ 04:11 PM gHale

Google issued November patches for Android that fix 23 critical security vulnerabilities.

In all there were 83 vulnerabilities, and on top of the 23 critical holes, 37 rated as high risk, 22 came in as medium risk, and one rated low.

Rowhammer Can Root into Android
Dirty COW Works on Android
Android RAT Builder Released
Android Malware in Over 3,000 Apps

Google divided this Android Security Bulletin into three parts.

The first part, security patch level of 2016-11-01, addresses multiple vulnerabilities in the Android platform, some of which affect version 4.4.4 of the operating system, while others only affect Android 7.0 devices. Overall, the first part fixes 28 issues, two of which were critical, 16 high risk, and 10 moderate.

The first critical bug was in mediaserver, the component that prompted Google last year to start issuing monthly security updates for the operating system after researchers discovered Stagefright, which affected a billion devices. By exploiting the newly patched flaw, an attacker using a specially crafted file could cause memory corruption during media file and data processing.

The second critical issue was an elevation of privilege in the libzipfile component, which could allow a local malicious application to execute arbitrary code within the context of a privileged process. The first vulnerability affects only Android 7.0 devices, the second was in Android 4.4.4, 5.0.2, and 5.1.1 devices, Google said in its advisory.

The second part of the security bulletin, which installs security patch level of 2016-11-05, addresses 20 critical flaws, 21 high risk issues, 12 moderate, and one low risk vulnerability in multiple components and OEM drivers. Some of them affect only Nexus and Pixel devices, while others touch Android 4.4.4 through 6.0.1 products.

Among the critical vulnerabilities, there is a remote code execution in Qualcomm crypto driver, elevation of privilege flaws in kernel file system, kernel SCSI driver, kernel media driver, kernel USB driver, kernel ION subsystem, Qualcomm bootloader, NVIDIA GPU driver, kernel networking subsystem, kernel sound subsystem, kernel ION subsystem, and Qualcomm components.

The third part of the security update brings devices to security patch level of 2016-11-06 and resolves a critical elevation of privilege vulnerability in kernel memory subsystem.

By exploiting this flaw, a local malicious application could execute arbitrary code within the context of the kernel. The vulnerability could result in local permanent device compromise, Google said.

Leave a Reply

You must be logged in to post a comment.