Google this week released another set of monthly patches for the Android mobile operating system, in an attempt to address no less than 78 security vulnerabilities.
Just as it has over the past few months, Google split the October 2016 security patches in two, each focused on specific issues. The 2016-10-01 security patch level addresses 20 vulnerabilities in various platform components, while the 2016-10-05 security patch level plugs 58 flaws in kernel subsystems, drivers, and OEM components.
The 20 issues resolved with the 2016-10-01 security patch level affect all Nexus devices and include 15 High severity vulnerabilities, along with 5 Medium risk ones. Elevation of privilege vulnerabilities were the most common bugs resolved this month, Google’s advisory reveals. Numerous flaws were addressed in Mediaserver, a vulnerable component that Google re-architected in Android 7.0.
The update patches 11 Elevation of privilege vulnerabilities in ServiceManager, Lock Settings Service, Mediaserver, Zygote process, framework APIs, Telephony, Camera service, and fingerprint login; three Denial of service bugs in Wi-Fi, GPS, and Mediaserver; and one Information disclosure vulnerability in AOSP Mail, all rated High risk.
The Medium severity issues addressed this month include three Elevation of privilege bugs in Framework Listener, Telephony, and Accessibility services, one Information disclosure vulnerability in Mediaserver, and one Denial of service vulnerability in Wi-Fi.
The 2016-10-05 security patch level addresses 6 vulnerabilities of Critical severity, 32 flaws rated High severity, 19 rated Medium risk, and one Low severity flaw. As in the past several months, Qualcomm components were most affected.
The Critical severity flaws addressed in the second part of the October 2016 Android Security Bulletin include Remote code execution bugs in kernel ASN.1 decoder and kernel networking subsystem, along with Elevation of privilege vulnerabilities in MediaTek video driver and kernel shared memory driver, and vulnerabilities affecting Qualcomm components.
Among the 32 High risk flaws resolved this month, we can count issues in Qualcomm components; Elevation of privilege bugs in Qualcomm networking component, NVIDIA drivers (MMC test, camera), Mediaserver, Qualcomm drivers (Secure Execution Environment Communicator, camera, sound, crypto engine, video, Wi-Fi), MediaTek video driver, Synaptics touchscreen driver, system_server, and kernel performance subsystem; and Information disclosure vulnerabilities in kernel ION subsystem and NVIDIA GPU driver.
The 19 Moderate risk issues include an Elevation of privilege vulnerability in Qualcomm character driver; Information disclosure flaws in Qualcomm sound driver, Motorola USBNet driver, Qualcomm components, kernel components, NVIDIA profiler, and kernel; a Denial of service bug in kernel networking subsystem; and vulnerabilities in Qualcomm components. The Low risk flaw is a Denial of service vulnerability in kernel sound driver.
Not all of the vulnerabilities addressed in the 2016-10-05 security patch level affect all Nexus devices and some of them affect no Nexus model. Because the security bulletin was split in two, manufacturers have the flexibility to fix vulnerabilities that are similar across Android devices faster than before, but Google encourages them to resolve all bugs in this bulletin.