Tuesday, 2 August 2016

On 03:58 by admin   No comments
Another month means another double bundle of security vulnerability patches for Android.
Google is sticking to the twin-release pattern it used last month: the first batch addresses flaws in Android's system-level software that everyone should install, and the second squashes bugs in hardware drivers and kernel-level code that not everyone needs.

The first patch set closes holes in Android 4.4.4 to the current build. Owners of Nexus gear will get these patches over-the-air very soon; everyone else will have to wait for their gadget makers and cellphone networks to issue them – which might be forever, leaving them forever vulnerable.
These holes include programming blunders in Mediaserver that can be exploited by a specially crafted MMS or an in-browser media file to potentially execute malicious code on a device. Getting a bad text or visiting an evil webpage could be enough to slip spyware onto your device, provided it is able to defeat ASLR and other defense mechanisms.

Mediaserver has other bugs, including four elevation-of-privileges holes allowing installed apps to gain more control of a device than they should, and code cockups that can crash a handheld.
The remaining patches address information leakages in the Wi-Fi, camera, SurfaceFlinger and Mediaserver code, and OpenSSL, all of which can be abused by installed apps to "access sensitive data without permission." The full list is here:
IssueCVESeverityAffects Nexus?
Remote code execution vulnerability in MediaserverCVE-2016-3819, CVE-2016-3820, CVE-2016-3821CriticalYes
Remote code execution vulnerability in libjheadCVE-2016-3822HighYes
Elevation of privilege vulnerability in MediaserverCVE-2016-3823, CVE-2016-3824, CVE-2016-3825, CVE-2016-3826HighYes
Denial of service vulnerability in MediaserverCVE-2016-3827, CVE-2016-3828, CVE-2016-3829, CVE-2016-3830HighYes
Denial of service vulnerability in system clockCVE-2016-3831HighYes
Elevation of privilege vulnerability in framework APIsCVE-2016-3832ModerateYes
Elevation of privilege vulnerability in ShellCVE-2016-3833ModerateYes
Information disclosure vulnerability in OpenSSLCVE-2016-2842ModerateYes
Information disclosure vulnerability in camera APIsCVE-2016-3834ModerateYes
Information disclosure vulnerability in MediaserverCVE-2016-3835ModerateYes
Information disclosure vulnerability in SurfaceFlingerCVE-2016-3836ModerateYes
Information disclosure vulnerability in Wi-FiCVE-2016-3837ModerateYes
Denial of service vulnerability in system UICVE-2016-3838ModerateYes
Denial of service vulnerability in BluetoothCVE-2016-3839ModerateYes
The second patch bundle contains fixes for driver-level code, and whether or not you need each of them depends on your hardware: if you have a chipset that introduces one of these vulnerabilities, you'll need to install a fix.
Nexus owners will get these automatically as necessary; other phone and tablet manufacturers may roll them out as and when they feel ready. That could be never in some cases.
The bundle predominantly fixes problems with Qualcomm's driver software – Qualy being the dominant Android system-on-chip designer, and its Snapdragon SoCs are used pretty much everywhere. These Qualcomm bugs are definitely ones to watch as these kinds of low-level flaws were used to blow apart Android's full-disk encryption system last month.
The patches includes fixes for Qualcomm's bootloader, and Qualcomm drivers for cameras, networking, sound, and video hardware. A malicious app on a Qualcomm-powered phone or tablet could exploit these to gain kernel-level access – completely hijacking the device, in other words. An app could use these holes to root a Nexus 5, 5X, 6, 6P and 7 so badly it would need a complete factory reset to undo the damage.
There are other bugs fixed in this batch because they can be exploited by malicious applications on Qualcomm-powered devices to access "sensitive data without explicit user permission." The full list is below:
IssueCVESeverityAffects Nexus?
Remote code execution vulnerability in Qualcomm Wi‑Fi driverCVE-2014-9902CriticalYes
Remote code execution vulnerability in ConscryptCVE-2016-3840CriticalYes
Elevation of privilege vulnerability in Qualcomm componentsCVE-2014-9863, CVE-2014-9864, CVE-2014-9865, CVE-2014-9866, CVE-2014-9867, CVE-2014-9868, CVE-2014-9869, CVE-2014-9870, CVE-2014-9871, CVE-2014-9872, CVE-2014-9873, CVE-2014-9874, CVE-2014-9875, CVE-2014-9876, CVE-2014-9877, CVE-2014-9878, CVE-2014-9879, CVE-2014-9880, CVE-2014-9881, CVE-2014-9882, CVE-2014-9883, CVE-2014-9884, CVE-2014-9885, CVE-2014-9886, CVE-2014-9887, CVE-2014-9888, CVE-2014-9889, CVE-2014-9890, CVE-2014-9891, CVE-2015-8937, CVE-2015-8938, CVE-2015-8939, CVE-2015-8940, CVE-2015-8941, CVE-2015-8942, CVE-2015-8943CriticalYes
Elevation of privilege vulnerability in kernel networking componentCVE-2015-2686, CVE-2016-3841CriticalYes
Elevation of privilege vulnerability in Qualcomm GPU driverCVE-2016-2504, CVE-2016-3842CriticalYes
Elevation of privilege vulnerability in Qualcomm performance componentCVE-2016-3843CriticalYes
Elevation of privilege vulnerability in kernelCVE-2016-3857CriticalYes
Elevation of privilege vulnerability in kernel memory systemCVE-2015-1593, CVE-2016-3672HighYes
Elevation of privilege vulnerability in kernel sound componentCVE-2016-2544, CVE-2016-2546, CVE-2014-9904HighYes
Elevation of privilege vulnerability in kernel file systemCVE-2012-6701HighYes
Elevation of privilege vulnerability in MediaserverCVE-2016-3844HighYes
Elevation of privilege vulnerability in kernel video driverCVE-2016-3845HighYes
Elevation of privilege vulnerability in Serial Peripheral Interface driverCVE-2016-3846HighYes
Elevation of privilege vulnerability in NVIDIA media driverCVE-2016-3847, CVE-2016-3848HighYes
Elevation of privilege vulnerability in ION driverCVE-2016-3849HighYes
Elevation of privilege vulnerability in Qualcomm bootloaderCVE-2016-3850HighYes
Elevation of privilege vulnerability in kernel performance subsystemCVE-2016-3843HighYes
Elevation of privilege vulnerability in LG Electronics bootloaderCVE-2016-3851HighYes
Information disclosure vulnerability in Qualcomm componentsCVE-2014-9892, CVE-2014-9893, CVE-2014-9894, CVE-2014-9895, CVE-2014-9896, CVE-2014-9897, CVE-2014-9898, CVE-2014-9899, CVE-2014-9900, CVE-2015-8944HighYes
Information disclosure vulnerability in kernel schedulerCVE-2014-9903HighYes
Information disclosure vulnerability in MediaTek Wi-Fi driverCVE-2016-3852HighYes
Information disclosure vulnerability in USB driverCVE-2016-4482HighYes
Denial of service vulnerability in Qualcomm componentsCVE-2014-9901HighYes
Elevation of privilege vulnerability in Google Play servicesCVE-2016-3853ModerateYes
Elevation of privilege vulnerability in Framework APIsCVE-2016-2497ModerateYes
Information disclosure vulnerability in kernel networking componentCVE-2016-4578ModerateYes
Information disclosure vulnerability in kernel sound componentCVE-2016-4569, CVE-2016-4578ModerateYes
Vulnerabilities in Qualcomm componentsCVE-2016-3854, CVE-2016-3855, CVE-2016-3856HighNo
Based on past experience, Nexus users are going to get both sets of patches within the next seven days. Other Android users may have to wait an awful lot longer – during which time, they'll be potentially vulnerable to attack.

0 comments:

Post a comment