August Android Security Bulletin: a year of patchesDownload Case Study
One year into Google’s monthly patching for Android, the August 2016 bulletin contains 103 patches, just short of the high of 108 from last month. This makes a total of 373 vulnerabilities reported via the monthly Android security bulletin for 2016 and a total of 454 since Google started publicly publishing these monthly reports a year ago. The vulnerabilities fixed this month span the entire range of attacks from critical remote code execution to moderate information disclosures and denial of service attacks. The bulletin also outlines two separate patch-levels to allow partners to fix a subset of issues that are “similar across all Android devices.” From Google:
- 2016-08-01: Partial security patch level string. This security patch level string indicates that all issues associated with 2016-08-01 (and all previous security patch level strings) are addressed.
- 2016-08-05: Complete security patch level string. This security patch level string indicates that all issues associated with 2016-08-01 and 2016-08-05 (and all previous security patch level strings) are addressed.
Mediaserver remote code execution
Google is not through patching its Mediaserver code one year since the initial Stagefright disclosures. In this month’s Android Security Bulletin, the company revealed more critical remote code execution vulnerabilities impacting the server known for the 2015 Stagefright vulnerabilities.
This month Google once again patched remote code execution vulnerabilities — specifically, three critical ones — in the Android mediaserver code. In fact, the company listed 12 different CVEs for mediaserver-specific vulnerabilities, 11 of which were deemed either critical or high.
Other than the remote code execution, which could allow an attacker to take over the device, Google patched four vulnerabilities that would have enabled attackers to execute privilege escalation attacks against the device and four that would have allowed attackers to executive distributed denial-of-service attacks against the media server.
Patches and components
We’ve also again seen a noteworthy amount of vendor-specific component patches largely in Qualcomm components, but also a few in NVIDIA, LG, and MediaTek. Most of these patches are in the second patch set for August 5, 2016.
Additionally, few older vulnerabilities from as far back as 2012, specifically a vulnerability in the kernel file system that could “enable a local malicious application to execute arbitrary code within the context of the kernel” were patched. There are also approximately 41 percent of the patches this month coming from CVEs dated in 2014 that with the exception of two patches all directly affect Qualcomm components.
This is Android’s second highest month for vulnerability patches. Sixty-three percent of the issues fixed this month could result in an elevation of privileges, which is exactly the type of behavior malware looks to exploit so that it can gain permanence and access to your device and its data more easily.
It is extremely important to keep your device up to date with the latest version of Android and also check for malicious applications that may seek to exploit these vulnerabilities. You can check what security patch level your device is by following Google’s instructions. You are only patched against all of these vulnerabilities if your device reports the August 5, 2016 security patch level as shown in the screenshot below.
August 2016 Vulnerability Stats
- 45.63% are critical
- 40.78% are high
- 13.59% are moderate
- 5.83% are Remote Code Execution Vulnerabilities
- 63.11% are Elevation of Privilege Vulnerabilities
- 7.77% are Denial of Service Vulnerabilities
- 20.39% are Information Disclosures Vulnerabilities