14 DAY TRIAL // Google has released today the September edition of the Android Security Bulletin, which, starting this month, features a new three-level patching string system that is extremely confusing, even for Android professionals.
The "Android security patch level" string is a setting in the phone's "About" section that tells you the date of the last security update your phone received.
Google introduced this string when it started delivering scheduled monthly updates last August.
In May 2016, the company renamed the Nexus Security Bulletin to the Android Security Bulletin to reflect that some of the fixes addressed all Android devices, not just its own.
In July 2015, the company split the bulletin in two, with one section addressing security fixes in core Android files while the second containing fixes in device-specific drivers and components. As such, the bulletin featured, for the first time, two security patch levels.
September security bulletin fixes 54 security issues
For this month, lo and behold, the Android Security Bulletin now has three security patch levels that for sure will confuse users.
There's the "2016-09-01" security patch level that includes core security updates for the Android OS.
There's the "2016-09-05" security patch level indicating that a device has received security updates for core files and device-specific drivers.
And there's "2016-09-06," which indicates the phone includes security updates for core files, device-specific drivers, and... we don't know. For this month, the third security patch level includes two bug fixes, one for a critical update for an Android core-related issue, and for a Qualcomm networking component. Doesn't really make sense that much.
Remember, this was the same company that was cited saying it would start shaming OEMs for failing to implement security fixes. Well, Google isn't making their life easier.
Below is the screenshot of an Android device's security patch level string, and all the security fixes included in this month's security bulletin.
| Issue | CVE | Severity | Affects Nexus? |
|---|---|---|---|
| Remote code execution vulnerability in LibUtils | CVE-2016-3861 | Critical | Yes |
| Remote code execution vulnerability in Mediaserver | CVE-2016-3862 | Critical | Yes |
| Remote code execution vulnerability in MediaMuxer | CVE-2016-3863 | High | Yes |
| Elevation of privilege vulnerability in Mediaserver | CVE-2016-3870, CVE-2016-3871, CVE-2016-3872 | High | Yes |
| Elevation of privilege vulnerability in device boot | CVE-2016-3875 | High | No* |
| Elevation of privilege vulnerability in Settings | CVE-2016-3876 | High | Yes |
| Denial of service vulnerability in Mediaserver | CVE-2016-3899, CVE-2016-3878, CVE-2016-3879, CVE-2016-3880, CVE-2016-3881 | High | Yes |
| Elevation of privilege vulnerability in Telephony | CVE-2016-3883 | Moderate | Yes |
| Elevation of privilege vulnerability in Notification Manager Service | CVE-2016-3884 | Moderate | Yes |
| Elevation of privilege vulnerability in Debuggerd | CVE-2016-3885 | Moderate | Yes |
| Elevation of privilege vulnerability in System UI Tuner | CVE-2016-3886 | Moderate | Yes |
| Elevation of privilege vulnerability in Settings | CVE-2016-3887 | Moderate | Yes |
| Elevation of privilege vulnerability in SMS | CVE-2016-3888 | Moderate | Yes |
| Elevation of privilege vulnerability in Settings | CVE-2016-3889 | Moderate | Yes |
| Elevation of privilege vulnerability in Java Debug Wire Protocol | CVE-2016-3890 | Moderate | No* |
| Information disclosure vulnerability in Mediaserver | CVE-2016-3895 | Moderate | Yes |
| Information disclosure vulnerability in AOSP Mail | CVE-2016-3896 | Moderate | No* |
| Information disclosure vulnerability in Wi-Fi | CVE-2016-3897 | Moderate | No* |
| Denial of service vulnerability in Telephony | CVE-2016-3898 | Moderate | Yes |
| Issue | CVE | Severity | Affects Nexus? |
|---|---|---|---|
| Elevation of privilege vulnerability in kernel security subsystem | CVE-2014-9529, CVE-2016-4470 | Critical | Yes |
| Elevation of privilege vulnerability in kernel networking subsystem | CVE-2013-7446 | Critical | Yes |
| Elevation of privilege vulnerability in kernel netfilter subsystem | CVE-2016-3134 | Critical | Yes |
| Elevation of privilege vulnerability in kernel USB driver | CVE-2016-3951 | Critical | Yes |
| Elevation of privilege vulnerability in kernel sound subsystem | CVE-2014-4655 | High | Yes |
| Elevation of privilege vulnerability in kernel ASN.1 decoder | CVE-2016-2053 | High | Yes |
| Elevation of privilege vulnerability in Qualcomm radio interface layer | CVE-2016-3864 | High | Yes |
| Elevation of privilege vulnerability in Qualcomm subsystem driver | CVE-2016-3858 | High | Yes |
| Elevation of privilege vulnerability in kernel networking driver | CVE-2016-4805 | High | Yes |
| Elevation of privilege vulnerability in Synaptics touchscreen driver | CVE-2016-3865 | High | Yes |
| Elevation of privilege vulnerability in Qualcomm camera driver | CVE-2016-3859 | High | Yes |
| Elevation of privilege vulnerability in Qualcomm sound driver | CVE-2016-3866 | High | Yes |
| Elevation of privilege vulnerability in Qualcomm IPA driver | CVE-2016-3867 | High | Yes |
| Elevation of privilege vulnerability in Qualcomm power driver | CVE-2016-3868 | High | Yes |
| Elevation of privilege vulnerability in Broadcom Wi-Fi driver | CVE-2016-3869 | High | Yes |
| Elevation of privilege vulnerability in kernel eCryptfs filesystem | CVE-2016-1583 | High | Yes |
| Elevation of privilege vulnerability in NVIDIA kernel | CVE-2016-3873 | High | Yes |
| Elevation of privilege vulnerability in Qualcomm Wi-Fi driver | CVE-2016-3874 | High | Yes |
| Denial of service vulnerability in kernel networking subsystem | CVE-2015-1465, CVE-2015-5364 | High | Yes |
| Denial of service vulnerability in kernel ext4 file system | CVE-2015-8839 | High | Yes |
| Information disclosure vulnerability in Qualcomm SPMI driver | CVE-2016-3892 | Moderate | Yes |
| Information disclosure vulnerability in Qualcomm sound codec | CVE-2016-3893 | Moderate | Yes |
| Information disclosure vulnerability in Qualcomm DMA component | CVE-2016-3894 | Moderate | Yes |
| Information disclosure vulnerability in kernel networking subsystem | CVE-2016-4998 | Moderate | Yes |
| Denial of service vulnerability in kernel networking subsystem | CVE-2015-2922 | Moderate | Yes |
| Vulnerabilities in Qualcomm components | CVE-2016-2469 | High | No |
| Issue | CVE | Severity | Affects Nexus? |
|---|---|---|---|
| Elevation of privilege vulnerability in kernel shared memory subsystem | CVE-2016-5340 | Critical | Yes |
| Elevation of privilege vulnerability in Qualcomm networking component | CVE-2016-2059 | High | Yes |