Google released its Android security bulletin for July, providing updates for 89 critical and high severity vulnerabilities affecting software and hardware components including Mediaserver, OpenSSL, BoringSSL, Bluetooth, Qualcomm, and numerous drivers.
The security bulletin includes two levels of patched vulnerabilities: July 1 and July 5. The earlier update includes 7 critical vulnerabilities (CVE-2016-2506, CVE-2016-2505, CVE-2016-2507, CVE-2016-2508, CVE-2016-3741, CVE-2016-3742, and CVE-2016-3743) affecting Google’s multimedia application Mediaserver, which could allow remote code execution. A critical flaw (CVE-2016-2108) related to OpenSSL and BoringSSL cold allow a remote attacker to use a specially crafted file to execute remote code.
Joshua Drake, vice president of platform research and exploitation at Zimperium, found the two patch levels in the bulletin to be unusual, considering that the two levels of updates “cover a different large set of issues.” He noted that Google’s Android Security Team may be reluctant to push older vulnerabilities that “may or may not be patched in OEM code bases.”
Drake, the security researcher who discovered the Stagefright vulnerability last July, found it “unsurprising” that Mediaserver issues continue to be discovered. “At this point, I will be surprised if there is a bulletin without any such issues,” he wrote, in an email to SCMagazine.com.
The July 1 update for Android includes an OpenSSL and BoringSSL vulnerability (CVE-2016-2108) that could allow a remote attacker to use a specially crafted file to execute vulnerable code, and 15 high severity flaws.
The July 5 update includes 12 critical severity vulnerabilities related to the Qualcomm GPU driver (CVE-2016-2503, and CVE-2016-2067), MediaTek Wi-Fi driver (CVE-2016-3767), Qualcomm’s performance component (CVE-2016-3768), NVIDIA video driver (CVE-2016-3769), MediaTek drivers (CVE-2016-3770, CVE-2016-3771, CVE-2016-3772, CVE-2016-3773, and CVE-2016-3774), kernel file system (CVE-2016-3775), USB driver (CVE-2015-8816); and 54 high severity flaws.
Drake said that Google has improved its ability to plan for upstream projects and pull in security patches from the project teams.
Earlier Wednesday, Samsung released its July security update for Android vulnerabilities, ahead of Android, highlighting two flaws affecting the South Korean phone manufacturer’s devices. The more serious vulnerability affects the Samsung Professional Audio software development kit (SDK), and could allow an attacker to execute arbitrary code or escalate privileges. A medium-level vulnerability could allow an attacker to exploit a null pointer dereference vulnerability to crash the system.
Last year, Samsung began issuing Android patches according to a monthly timetable after the discovery of the Stagefright vulnerability.