HackDig : Dig high-quality web security articles for hacker

«No Previous
No Next

New Android Security Patch Level System Is a Convoluted Mess

2016-09-07 11:00

Google has released today the September edition of the Android Security Bulletin, which, starting this month, features a new three-level patching string system that is extremely confusing, even for Android professionals.

The "Android security patch level" string is a setting in the phone's "About" section that tells you the date of the last security update your phone received.

Google introduced this string when it started delivering scheduled monthly updates last August.

In May 2016, the company renamed the Nexus Security Bulletin to the Android Security Bulletin to reflect that some of the fixes addressed all Android devices, not just its own.

In July 2015, the company split the bulletin in two, with one section addressing security fixes in core Android files while the second containing fixes in device-specific drivers and components. As such, the bulletin featured, for the first time, two security patch levels.

September security bulletin fixes 54 security issues

For this month, lo and behold, the Android Security Bulletin now has three security patch levels that for sure will confuse users.

There's the "2016-09-01" security patch level that includes core security updates for the Android OS.

There's the "2016-09-05" security patch level indicating that a device has received security updates for core files and device-specific drivers.

And there's "2016-09-06," which indicates the phone includes security updates for core files, device-specific drivers, and... we don't know. For this month, the third security patch level includes two bug fixes, one for a critical update for an Android core-related issue, and for a Qualcomm networking component. Doesn't really make sense that much.

Remember, this was the same company that was cited saying it would start shaming OEMs for failing to implement security fixes. Well, Google isn't making their life easier.

Below is the screenshot of an Android device's security patch level string, and all the security fixes included in this month's security bulletin.

Android security patch level string
Android security patch level string
IssueCVESeverityAffects Nexus?
2016-09-01 security patch level—Vulnerability summary
Remote code execution vulnerability in LibUtilsCVE-2016-3861CriticalYes
Remote code execution vulnerability in MediaserverCVE-2016-3862CriticalYes
Remote code execution vulnerability in MediaMuxerCVE-2016-3863HighYes
Elevation of privilege vulnerability in MediaserverCVE-2016-3870, CVE-2016-3871, CVE-2016-3872HighYes
Elevation of privilege vulnerability in device bootCVE-2016-3875HighNo*
Elevation of privilege vulnerability in SettingsCVE-2016-3876HighYes
Denial of service vulnerability in MediaserverCVE-2016-3899, CVE-2016-3878, CVE-2016-3879, CVE-2016-3880, CVE-2016-3881HighYes
Elevation of privilege vulnerability in TelephonyCVE-2016-3883ModerateYes
Elevation of privilege vulnerability in Notification Manager ServiceCVE-2016-3884ModerateYes
Elevation of privilege vulnerability in DebuggerdCVE-2016-3885ModerateYes
Elevation of privilege vulnerability in System UI TunerCVE-2016-3886ModerateYes
Elevation of privilege vulnerability in SettingsCVE-2016-3887ModerateYes
Elevation of privilege vulnerability in SMSCVE-2016-3888ModerateYes
Elevation of privilege vulnerability in SettingsCVE-2016-3889ModerateYes
Elevation of privilege vulnerability in Java Debug Wire ProtocolCVE-2016-3890ModerateNo*
Information disclosure vulnerability in MediaserverCVE-2016-3895ModerateYes
Information disclosure vulnerability in AOSP MailCVE-2016-3896ModerateNo*
Information disclosure vulnerability in Wi-FiCVE-2016-3897ModerateNo*
Denial of service vulnerability in TelephonyCVE-2016-3898ModerateYes
IssueCVESeverityAffects Nexus?
2016-09-05 security patch level—Vulnerability summary
Elevation of privilege vulnerability in kernel security subsystemCVE-2014-9529, CVE-2016-4470CriticalYes
Elevation of privilege vulnerability in kernel networking subsystemCVE-2013-7446CriticalYes
Elevation of privilege vulnerability in kernel netfilter subsystemCVE-2016-3134CriticalYes
Elevation of privilege vulnerability in kernel USB driverCVE-2016-3951CriticalYes
Elevation of privilege vulnerability in kernel sound subsystemCVE-2014-4655HighYes
Elevation of privilege vulnerability in kernel ASN.1 decoderCVE-2016-2053HighYes
Elevation of privilege vulnerability in Qualcomm radio interface layerCVE-2016-3864HighYes
Elevation of privilege vulnerability in Qualcomm subsystem driverCVE-2016-3858HighYes
Elevation of privilege vulnerability in kernel networking driverCVE-2016-4805HighYes
Elevation of privilege vulnerability in Synaptics touchscreen driverCVE-2016-3865HighYes
Elevation of privilege vulnerability in Qualcomm camera driverCVE-2016-3859HighYes
Elevation of privilege vulnerability in Qualcomm sound driverCVE-2016-3866HighYes
Elevation of privilege vulnerability in Qualcomm IPA driverCVE-2016-3867HighYes
Elevation of privilege vulnerability in Qualcomm power driverCVE-2016-3868HighYes
Elevation of privilege vulnerability in Broadcom Wi-Fi driverCVE-2016-3869HighYes
Elevation of privilege vulnerability in kernel eCryptfs filesystemCVE-2016-1583HighYes
Elevation of privilege vulnerability in NVIDIA kernelCVE-2016-3873HighYes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driverCVE-2016-3874HighYes
Denial of service vulnerability in kernel networking subsystemCVE-2015-1465, CVE-2015-5364HighYes
Denial of service vulnerability in kernel ext4 file systemCVE-2015-8839HighYes
Information disclosure vulnerability in Qualcomm SPMI driverCVE-2016-3892ModerateYes
Information disclosure vulnerability in Qualcomm sound codecCVE-2016-3893ModerateYes
Information disclosure vulnerability in Qualcomm DMA componentCVE-2016-3894ModerateYes
Information disclosure vulnerability in kernel networking subsystemCVE-2016-4998ModerateYes
Denial of service vulnerability in kernel networking subsystemCVE-2015-2922ModerateYes
Vulnerabilities in Qualcomm componentsCVE-2016-2469HighNo
IssueCVESeverityAffects Nexus?
2016-09-06 security patch level—Vulnerability summary
Elevation of privilege vulnerability in kernel shared memory subsystemCVE-2016-5340CriticalYes
Elevation of privilege vulnerability in Qualcomm networking componentCVE-2016-2059HighYes


Source: s.820805-ssem-detulovnoc-a-si-metsys-level-hctap-ytiruces-diordna-wen/swen/moc.aideptfos.swen

Read:3042 | Comments:0 | Tags:Security Fixes and Improvements

“New Android Security Patch Level System Is a Convoluted Mess”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud