14 DAY TRIAL // Google has patched 103 security flaws in this month's Android Security Bulletin, with 22 fixes in core Android files and 81 in OS drivers, most notably in Qualcomm components.
After last month Google announced it was splitting its security bulletin in two, it now becomes more evident why the company took such a step.
A focus on driver-related issues
Just like last month, for August's security patches, the company's engineers spent more time fixing driver-related issues and much less fixing core Android vulnerabilities.
This comes yet again to prove that, most of the time, the teams behind big projects like Android and the Linux kernel generally know what they're doing, and issues usually reach the OS via third-party code, needed for the OS to work with various hardware components.
This month, Google engineers had to address only one critical security issue, out of all the 22 security flaws reported in core Android components. On the other hands, researchers fixed 44 critical issues out of 81 driver-related bugs, more than half of the total reported.
With the Android core code getting more stable and secure, expect future Android Security Bulletins to continue focusing on driver-related issues more and more each month.
Happy Birthday, Android Security Bulletin!
As a side note, this month's security bulletin comes one year after Google released its first-ever security bulletin, in August, right after the Black Hat USA 2015 security conference, where the infamous Stagefright vulnerability was revealed to the world.
Ever since then, Google has been releasing monthly security fixes to address security bugs in the underlying Mediaserver component and the libstagefright library, with engineers addressing over 100 bugs in those two components. For more details about Stagefright's one-year anniversary, check out Zimperium's blog post from last week.
Below are the two lists of Android security flaws, the ones fixed in core Android files and the ones fixed in driver-related components.
| Issue | CVE | Severity | Affects Nexus? |
|---|---|---|---|
| Remote code execution vulnerability in Mediaserver | CVE-2016-3819, CVE-2016-3820, CVE-2016-3821 | Critical | Yes |
| Remote code execution vulnerability in libjhead | CVE-2016-3822 | High | Yes |
| Elevation of privilege vulnerability in Mediaserver | CVE-2016-3823, CVE-2016-3824, CVE-2016-3825, CVE-2016-3826 | High | Yes |
| Denial of service vulnerability in Mediaserver | CVE-2016-3827, CVE-2016-3828, CVE-2016-3829, CVE-2016-3830 | High | Yes |
| Denial of service vulnerability in system clock | CVE-2016-3831 | High | Yes |
| Elevation of privilege vulnerability in framework APIs | CVE-2016-3832 | Moderate | Yes |
| Elevation of privilege vulnerability in S hell | CVE-2016-3833 | Moderate | Yes |
| Information disclosure vulnerability in OpenSSL | CVE-2016-2842 | Moderate | Yes |
| Information disclosure vulnerability in camera APIs | CVE-2016-3834 | Moderate | Yes |
| Information disclosure vulnerability in Mediaserver | CVE-2016-3835 | Moderate | Yes |
| Information disclosure vulnerability in SurfaceFlinger | CVE-2016-3836 | Moderate | Yes |
| Information disclosure vulnerability in Wi-Fi | CVE-2016-3837 | Moderate | Yes |
| Denial of service vulnerability in system UI | CVE-2016-3838 | Moderate | Yes |
| Denial of service vulnerability in Bluetooth | CVE-2016-3839 | Moderate | Yes |
| Issue | CVE | Severity | Affects Nexus? |
|---|---|---|---|
| Remote code execution vulnerability in Qualcomm Qualcomm Wi-Fi driver | CVE-2014-9902 | Critical | Yes |
| Remote code execution vulnerability in Conscrypt | CVE-2016-3840 | Critical | Yes |
| Elevation of privilege vulnerability in Qualcomm components | CVE-2014-9863, CVE-2014-9864, CVE-2014-9865, CVE-2014-9866, CVE-2014-9867, CVE-2014-9868, CVE-2014-9869, CVE-2014-9870, CVE-2014-9871, CVE-2014-9872, CVE-2014-9873, CVE-2014-9874, CVE-2014-9875, CVE-2014-9876, CVE-2014-9877, CVE-2014-9878, CVE-2014-9879, CVE-2014-9880, CVE-2014-9881, CVE-2014-9882, CVE-2014-9883, CVE-2014-9884, CVE-2014-9885, CVE-2014-9886, CVE-2014-9887, CVE-2014-9888, CVE-2014-9889, CVE-2014-9890, CVE-2014-9891, CVE-2015-8937, CVE-2015-8938, CVE-2015-8939, CVE-2015-8940, CVE-2015-8941, CVE-2015-8942, CVE-2015-8943 | Critical | Yes |
| Elevation of privilege vulnerability in kernel networking component | CVE-2015-2686, CVE-2016-3841 | Critical | Yes |
| Elevation of privilege vulnerability in Qualcomm GPU driver | CVE-2016-2504, CVE-2016-3842 | Critical | Yes |
| Elevation of privilege vulnerability in Qualcomm performance component | CVE-2016-3843 | Critical | Yes |
| Elevation of privilege vulnerability in kernel | CVE-2016-3857 | Critical | Yes |
| Elevation of privilege vulnerability in kernel memory system | CVE-2015-1593, CVE-2016-3672 | High | Yes |
| Elevation of privilege vulnerability in kernel sound component | CVE-2016-2544, CVE-2016-2546, CVE-2014-9904 | High | Yes |
| Elevation of privilege vulnerability in kernel file system | CVE-2012-6701 | High | Yes |
| Elevation of privilege vulnerability in Mediaserver | CVE-2016-3844 | High | Yes |
| Elevation of privilege vulnerability in kernel video driver | CVE-2016-3845 | High | Yes |
| Elevation of privilege vulnerability in Serial Peripheral Interface driver | CVE-2016-3846 | High | Yes |
| Elevation of privilege vulnerability in NVIDIA media driver | CVE-2016-3847, CVE-2016-3848 | High | Yes |
| Elevation of privilege vulnerability in ION driver | CVE-2016-3849 | High | Yes |
| Elevation of privilege vulnerability in Qualcomm bootloader | CVE-2016-3850 | High | Yes |
| Elevation of privilege vulnerability in kernel performance subsystem | CVE-2016-3843 | High | Yes |
| Elevation of privilege vulnerability in LG Electronics bootloader | CVE-2016-3851 | High | Yes |
| Information disclosure vulnerability in Qualcomm components | CVE-2014-9892, CVE-2014-9893 CVE-2014-9894, CVE-2014-9895 CVE-2014-9896, CVE-2014-9897 CVE-2014-9898, CVE-2014-9899 CVE-2014-9900, CVE-2015-8944 | High | Yes |
| Information disclosure vulnerability in kernel scheduler | CVE-2014-9903 | High | Yes |
| Information disclosure vulnerability in MediaTek Wi-Fi driver | CVE-2016-3852 | High | Yes |
| Information disclosure vulnerability in USB driver | CVE-2016-4482 | High | Yes |
| Denial of service vulnerability in Qualcomm components | CVE-2014-9901 | High | Yes |
| Elevation of privilege vulnerability in Google Play services | CVE-2016-3853 | Moderate | Yes |
| Elevation of privilege vulnerability in Framework APIs | CVE-2016-2497 | Moderate | Yes |
| Information disclosure vulnerability in kernel networking component | CVE-2016-4578 | Moderate | Yes |
| Information disclosure vulnerability in kernel sound component | CVE-2016-4569, CVE-2016-4578 | Moderate | Yes |
| Vulnerabilities in Qualcomm components | CVE-2016-3854, CVE-2016-3855, CVE-2016-3856 | High | No |