Google released a security update that patches 57 known Android vulnerabilities, eight of them are critical. The update is bundled into three security patch level strings to ease device manufacturers in applying them to their products.
57 Android Vulnerabilities Are Now Fixed
The security bundles are contained in three separate sets that contain the fixes. The reason why they are distributed in such a way is that device manufacturers often have to modify the code so that it could run on their customized ROM’s. As always Nexus devices and those that run clean modifications will receive the updates before customized versions.
The first package (2016-09-01) contains 19 security patches that amend 25 vulnerabilities. Two of them are rated critical. One of them is a remote code execution issue in LibUtils (CVE-2016-3861) that results in a heap buffer overflow. This has been described as “an extremely serious bug” by Mark Brand, one of the security analysts from Google. The other issue (CVE-2016-3862) is a remote code execution issue in the Mediaserver component of the operating system.
Security issues in Mediaserver have been a problem for Android ever since the massive Stagefright attacks that were made last year. The Android Security team has posted that Android Nougat will resolve Mediaserver attacks by incorporating various security patches and mechanisms.
The second group of patches (2016-09-05) contains 26 fixes that amend 28 vulnerabilities. Four critical patches for privilege escalation in the system kernel components are included. Affected modules include the networking subsystem, the netfilter subsystem, and the USB driver.
The last group (2016-09-06) contains two patches, one of them is a critical one that resolves a critical privilege escalation in the kernel shared memory subsystem.
Android users are advised to update their devices as soon as the updates are available from the manufacturers.