Google released patches for 57 security vulnerabilities affecting Android devices. Eight of the flaws were issued a “critical” rating. September's updates are bundled into three “security patch level strings” in an effort to ease the process for Android device manufacturers to apply updates across their devices.
The first update bundle (2016-09-01) includes 19 patches addressing 25 vulnerabilities, including two vulnerabilities that received a critical rating, Google stated in this month's Android Security Bulletin. One of the critical flaws (CVE-2016-3861), a remote code execution flaw in LibUtils, results in a heap-buffer-overflow. Google's Mark Brand called the flaw “an extremely serious bug,” in a Project Zero blog post published Wednesday. The vulnerable code path is accessible from many different attack vectors, he wrote. The other critical vulnerability (CVE-2016-3862) is a remote code execution flaw in Mediaserver.
Mediaserver flaws have been an ongoing issue for Android devices since the discovery of the Stagefright vulnerability in July 2015. Android Security Team's Xiaowen Xin wrote about changes to Android Nougat aimed resolving Stagefright-related attacks, in an Android Developers blog published on Tuesday. “In Android Nougat, we've both hardened and re-architected mediaserver, one of the main system services that processes untrusted input,” Xin wrote.
Tripwire security researcher Craig Young told SCMagazine.com that Google's use of a sanitizer to resolve Mediaserver attacks is “exciting.” He mentioned that “a good number of the Mediaserver flaws discovered by researchers recently were likely found by fuzzing Mediaserver components mixed with a sanitizer.” While not all sanitizers are suitable for production, he noted that the limited use of sanitizers in this case “should be effective in negating the Mediaserver bugs.”
The next set of updates (2016-09-05) includes 26 patches addressing 28 vulnerabilities. The bundle includes four critical updates for elevation of privilege vulnerabilities in the kernel security subsystem (CVE-2014-9529, CVE-2016-4470), kernel networking subsystem (CVE-2013-7446), kernel netfilter subsystem (CVE-2016-3134), and kernel USB driver (CVE-2016-3951).The final group of security patches (2016-09-06) includes two patches, one of which resolves a critical elevation of privilege vulnerability in kernel shared memory subsystem (CVE-2016-5340).