Google Android security bulletin October 2016: remote code execution vulns continue

The October Android Security Bulletin contains 78 patches for Android devices — 23 more than last month, yet the third highest since Google started releasing the monthly patches. The release reveals more remote code execution (RCE) vulnerabilities, which could allow an attacker to take over a device requiring very little interaction from the victim.

Given the fragmentation of Android, and the slower patch cycles for these devices, mounting RCE issues could spell trouble for individuals waiting for patches and companies whose employees use Android devices.

This is likely one of the reasons why Google is starting to put more pressure on its partners to update Android devices more frequently.  

Twenty of the patched issues target apps, processes and services that are common to all Android devices. The remaining 58 patches affect device-specific code found on some Android devices for software created by Qualcomm, NVIDIA, and MediaTek among others. The main issue Android users should be concerned about this month are the two critical remote code execution vulnerabilities found in the Android Linux Kernel.

Two critical vulnerabilities

The two remote code execution vulnerabilities, CVE-2016-0758 and CVE-2016-7117, which security researcher found in the Linux kernel several months ago have been patched in the latest Android security release. The first (CVE-2016-0758) is an integer overflow that can occur when the kernel is parsing an ASN.1 object such as those found in X509 certificates. The second (CVE-2016-7117) is a use-after-free vulnerability that can occur during socket (i.e., networking) operations.

In addition to the two patches for remote code execution issues, the vast majority of the patches this month revolve around fixing privilege escalation issues that would allow a malicious application to gain privileged access to an Android device. The privilege escalation issues were found in the obvious culprits like the MediaServer and vendor device drivers, but also in some non-common ones like the camera service and the fingerprint login system.

The October patch has the third highest number of security updates

October ranks as the third highest patching month since the Android Security Bulletin service began in August 2015. The figure below shows the breakdown of each month since the program’s inception and category of patches each bulletin has contained.

android-security-patches-10-7

Protecting your devices

It is extremely important to keep your device up to date with the latest version of Android and also check for malicious applications that may seek to exploit these vulnerabilities. You can check what security patch level your device is by following Google’s instructions. You are only patched against all of these vulnerabilities if your device reports the October 5, 2016 security patch level as shown in the screenshot below.

android-security-patch-level-screen

Unfortunately, patching on Android is not straightforward and some users will have to wait a significant amount of time for a patch to become available for their device. This is because Google’s Android patches often have to go through the carriers and the manufacturers before they reach the end user. These organizations sometimes hold patches — for example, if they wait to release them in batches — meaning the latest Android OS may not be available to all Android users at the same time.

October 2016 patch stats

78 patches:
8.97% are rated critical
61.54% are rated high
28.21% are rated moderate
1.28% are rated low

8.33% are Remote Code Execution Vulnerabilities
59.70% are Elevation of Privilege Vulnerabilities
6.48% are Denial of Service Vulnerabilities
12.04% are Information Disclosures Vulnerabilities
The remaining 13.45% are Qualcomm specific vulnerabilities without a specific classification.