Google started splitting updates into two parts – a general patch and a driver- and kernel-specific patch – in July and continues this strategy in August. This should make it easier for vendors to apply the common patches quickly while still targeting only relevant devices with driver/kernel patches. We will have to wait and see if this helps vendors to act faster on these issues.
The most severe issue in the Android Security Bulletin – August 2016 is a Critical security vulnerability in Mediaserver that could enable remote code execution on an affected device through multiple methods, such as email, web browsing, and MMS when processing media files – Reference CVE-2016-3819, CVE-2016-3820, CVE-2016-3821
Another critical severity issue, CVE-2016-2504, is specific to the Qualcomm GPU driver and is an elevation of privileges vulnerability.
Here are some additional highlights from the report:
Remote code execution
- A high severity vulnerability in libjhead, a library for handling image metadata, is also fixed in the August 1st patch. The vulnerability enables remote code execution in any app that uses libjhead. CVE-2016-3822.
Device drivers and kernel vulnerabilities
- A critical fix to the Qualcomm Wi-Fi driver. CVE-2014-9902
- A few dozens of critical fixes were applied to various Qualcomm components.
- A kernel networking vulnerability. CVE-2015-2686, CVE-2016-3841
Note that no public exploitations of any of these issues are known at this time. OTA updates for Nexus devices have been released, and the new Nexus images are available for download here.
Skycure can identify exploited devices on your enterprise and will help you track the update process of devices in your organization.