This article is more than 1 year old
Google melts 78 Android security holes, two of which were critical
Chinese hackers thanked for help finding flaws
Google has crushed 78 Android security flaws in its October bug blitzkrieg, repairing critical core Android services along the way.
The patch parade sees the tech giant return to a high-double-digit patch run after issuing only 47 fixes last month and a whopping 103 in August.
The updates are split into essential Android system-level software flaws, recommended hardware drivers and kernel-level flaws.
Google appears not to have felled any bugs worthy of a name, logo, and a website, but did stomp on five critical holes including two remote code execution kernel bugs, two privilege escalation, and clobbered Qualcomm componentry (CVE-2016-3926, CVE-2016-3927, CVE-2016-3929).
The critical bugs could allow attackers to permanently bork all Nexus devices requiring users to re-flash their operating systems and lose all unprotected data.
The first of these (CVE-2016-7117) lies in the kernel networking subsystem allowing remote attackers to execute arbitrary code in the context of the kernel.
Another critical hole (CVE-2016-0758 ) allows installed apps to execute arbitrary code within the context of the kernel via an elevation of privilege vulnerability in the kernel ASN.1 decoder.
Those are joined by 44 high-severity holes, many of which were privilege escalation, affecting the zygote process, mediaserver, and lock screen among other services.
Mountain View flushed 14 moderate-severity bugs, three of which were privilege escalation, with one information disclosure hole and a lone denial of service wi-fi hole.
Android engineers fixed one lonely low-severity denial of service vulnerability in kernel sound driver which VXer jerks could use to reboot devices.
Google thanked its cadre of external and internal security researchers who found the bugs. An increasing number of those hail from China where bug bashing appears to have become a sport notably among the vulnerability chaingun house Qihoo 360.
The company again yelled into the Android ecosystem echo chamber in a deflated bid to get vendors to apply patches to their custom ROMs. ®
Issue | CVE | Severity | Affects Nexus? |
Elevation of privilege vulnerability in ServiceManager | CVE-2016-3900 | High | Yes |
Elevation of privilege vulnerability in Lock Settings Service | CVE-2016-3908 | High | Yes |
Elevation of privilege vulnerability in Mediaserver | CVE-2016-3909, CVE-2016-3910, CVE-2016-3913 | High | Yes |
Elevation of privilege vulnerability in Zygote process | CVE-2016-3911 | High | Yes |
Elevation of privilege vulnerability in framework APIs | CVE-2016-3912 | High | Yes |
Elevation of privilege vulnerability in Telephony | CVE-2016-3914 | High | Yes |
Elevation of privilege vulnerability in Camera service | CVE-2016-3915, CVE-2016-3916 | High | Yes |
Elevation of privilege vulnerability in fingerprint login | CVE-2016-3917 | High | Yes |
Information disclosure vulnerability in AOSP Mail | CVE-2016-3918 | High | Yes |
Denial of service vulnerability in Wi-Fi | CVE-2016-3882 | High | Yes |
Denial of service vulnerability in GPS | CVE-2016-5348 | High | Yes |
Denial of service vulnerability in Mediaserver | CVE-2016-3920 | High | Yes |
Elevation of privilege vulnerability in Framework Listener | CVE-2016-3921 | Moderate | Yes |
Elevation of privilege vulnerability in Telephony | CVE-2016-3922 | Moderate | Yes |
Elevation of privilege vulnerability in Accessibility services | CVE-2016-3923 | Moderate | Yes |
Information disclosure vulnerability in Mediaserver | CVE-2016-3924 | Moderate | Yes |
Denial of service vulnerability in Wi-Fi | CVE-2016-3925 | Moderate | Yes |
2016-10-05 security patch level—Vulnerability summary | |||
Issue | CVE | Severity | Affects Nexus? |
Remote code execution vulnerability in kernel ASN.1 decoder | CVE-2016-0758 | Critical | Yes |
Remote code execution vulnerability in kernel networking subsystem | CVE-2016-7117 | Critical | Yes |
Elevation of privilege vulnerability in MediaTek video driver | CVE-2016-3928 | Critical | No |
Elevation of privilege vulnerability in kernel shared memory driver | CVE-2016-5340 | Critical | Yes |
Vulnerabilities in Qualcomm components | CVE-2016-3926, CVE-2016-3927, CVE-2016-3929 | Critical | Yes |
Elevation of privilege vulnerability in Qualcomm networking component | CVE-2016-2059 | High | Yes |
Elevation of privilege vulnerability in NVIDIA MMC test driver | CVE-2016-3930 | High | Yes |
Elevation of privilege vulnerability in Qualcomm Secure Execution Environment Communicator driver | CVE-2016-3931 | High | Yes |
Elevation of privilege vulnerability in Mediaserver | CVE-2016-3932, CVE-2016-3933 | High | Yes |
Elevation of privilege vulnerability in Qualcomm camera driver | CVE-2016-3903, CVE-2016-3934 | High | Yes |
Elevation of privilege vulnerability in Qualcomm sound driver | CVE-2015-8951 | High | Yes |
Elevation of privilege vulnerability in Qualcomm crypto engine driver | CVE-2016-3901, CVE-2016-3935 | High | No |
Elevation of privilege vulnerability in MediaTek video driver | CVE-2016-3936, CVE-2016-3937 | High | Yes |
Elevation of privilege vulnerability in Qualcomm video driver | CVE-2016-3938, CVE-2016-3939 | High | Yes |
Elevation of privilege vulnerability in Synaptics touchscreen driver | CVE-2016-3940, CVE-2016-6672 | High | Yes |
Elevation of privilege vulnerability in NVIDIA camera driver | CVE-2016-6673 | High | Yes |
Elevation of privilege vulnerability in system_server | CVE-2016-6674 | High | Yes |
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver | CVE-2016-3905, CVE-2016-6675, CVE-2016-6676, CVE-2016-5342 | High | Yes |
Elevation of privilege vulnerability in kernel performance subsystem | CVE-2015-8955 | High | Yes |
Information disclosure vulnerability in kernel ION subsystem | CVE-2015-8950 | High | Yes |
Information disclosure vulnerability in NVIDIA GPU driver | CVE-2016-6677 | High | Yes |
Elevation of privilege vulnerability in Qualcomm character driver | CVE-2015-0572 | Moderate | Yes |
Information disclosure vulnerability in Qualcomm sound driver | CVE-2016-3860 | Moderate | Yes |
Information disclosure vulnerability in Motorola USBNet driver | CVE-2016-6678 | Moderate | Yes |
Information disclosure vulnerability in Qualcomm components | CVE-2016-6679, CVE-2016-3902, CVE-2016-6680, CVE-2016-6681, CVE-2016-6682 | Moderate | Yes |
Information disclosure vulnerability in kernel components | CVE-2016-6683, CVE-2016-6684, CVE-2015-8956, CVE-2016-6685 | Moderate | Yes |
Information disclosure vulnerability in NVIDIA profiler | CVE-2016-6686, CVE-2016-6687, CVE-2016-6688 | Moderate | Yes |
Information disclosure vulnerability in kernel | CVE-2016-6689 | Moderate | Yes |
Denial of service vulnerability in kernel networking subsystem | CVE-2016-5696 | Moderate | Yes |
Denial of service vulnerability in kernel sound driver | CVE-2016-6690 | Low | Yes |
Vulnerabilities in Qualcomm components | CVE-2016-6691, CVE-2016-6692, CVE-2016-6693, CVE-2016-6694, CVE-2016-6695, CVE-2016-6696, CVE-2016-5344, CVE-2016-5343 | High | No |
®