Google released a series of patches for the Android operating system.
The patches focus on 81 vulnerabilities affecting drivers and components, most of which ended up reported in 2014.
The first part of the monthly updates resolve 22 vulnerabilities in Android, including three critical bugs in Mediaserver and 10 high severity and nine medium risk bugs in other components.
The August Android security bulletin resolves three Remote Code Execution (RCE) flaws (CVE-2016-3819, CVE-2016-3820, and CVE-2016-3821) in Mediaserver, which could end up triggered using a specially crafted file. The bugs affect Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1 versions and can end up exploited via multiple applications, including messaging apps and browsers and end up resolved on devices with security patch levels of 2016-08-01 or later.
Of the 10 high severity bugs resolved this month, one RCE bug was in libjhead (CVE-2016-3822), one Denial of service (DoS) in system clock (CVE-2016-3831), and eight issues were in Mediaserver, four of which were Elevation of Privilege (EoP) bugs (CVE-2016-3823, CVE-2016-3824, CVE-2016-3825, CVE-2016-3826) and four DoS flaws (CVE-2016-3827, CVE-2016-3828, CVE-2016-3829, CVE-2016-3830). All of these vulnerabilities affect Android 4.4.4 to 6.0.1, Google said in a post.
The nine medium risk issues included an EoP in framework APIs, an EoP in Shell, Information disclosure bugs in OpenSSL, camera APIs, Mediaserver, SurfaceFlinger and Wi-Fi, and DoS flaws in system UI and Bluetooth. Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1 releases suffer from the issues.
Qualcomm components received the most patches in Google’s new security updates.
These included 36 EoP flaws (one Critical – CVE-2014-9863, 33 high risk, and two moderate), 10 information disclosure bugs (two high and eight moderate risk), two critical EoPs in GPU driver, one critical RCE in WiFi driver (CVE-2014-9902), one critical EoP in performance component, one high risk EoP in bootloader, one high risk DoS, and three other flaws, also considered high severity.
Security patch levels of 2016-08-05 or later resolve these vulnerabilities, as well as multiple other flaws, including a critical RCE in Conscrypt, and two critical EoPs in the kernel and in kernel networking components. High severity EoPs in kernel memory system, kernel sound component, kernel file system, Mediaserver, kernel video driver, Serial Peripheral Interface driver, NVIDIA media driver, ION driver, kernel performance subsystem, and LG Electronics bootloader also ended up patched.