Fotolia

News Stay informed about the latest enterprise technology news and product updates.

October's Android Security Bulletin patches 78 vulnerabilities

Google patches 78 vulnerabilities, including half a dozen critical flaws -- but none exploited in the wild -- in two patch levels in October's Android Security Bulletin.

The Android mobile operating system received patches for 78 vulnerabilities in this month's Android Security Bulletin from Google, including six critical and 47 high-severity vulnerabilities that enable everything from remote code execution to elevation of privilege, denial of service and disclosure of information.

The Android Security Bulletin included information on all the vulnerabilities, which were patched in an over-the-air update for Android's Nexus devices. Android partners received notification of the security issues in the bulletin on or before Sept. 6, Google wrote, adding that source code patches were posted to the Android Open Source Project repository, where applicable.

"The most severe of these issues are critical security vulnerabilities in device-specific code that could enable remote code execution within the context of the kernel, leading to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device," the bulletin read. "We have had no reports of active customer exploitation or abuse of these newly reported issues."

This Android Security Bulletin split patches for the 78 vulnerabilities into two separate patch levels to simplify management of the fixes for Android manufacturers. Patch level 2016-10-01 includes fixes for flaws in core Android components, drivers and services, which should be implemented as soon as possible by all OEM Android manufacturers. This patch level addresses 15 high-severity and five moderate-severity vulnerabilities.

The second patch level, 2016-10-05, addresses vulnerabilities in Android components that may not be included in all Android devices. This patch level, which encompasses fixes for 58 vulnerabilities in all, includes fixes for six critical vulnerabilities.

The most severe bugs in this Android Security Bulletin include CVE-2016-0758, an elevation of privilege vulnerability in the Linux kernel's ASN.1 decoder as well as two flaws -- CVE-2016-7117 and CVE-2016-5340 -- which could enable a local malicious application to remotely execute arbitrary code through flaws in the kernel networking subsystem and kernel shared memory driver, respectively. These vulnerabilities were given critical severity ratings "due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device." Other critical severity vulnerabilities that were patched include a flaw in the MediaTek video driver and three vulnerabilities that affect Qualcomm components.

In other news

  • Dropbox users may want to take special care as new reports indicate 2012 breach data is now available, for free, courtesy of the cybersecurity researcher The Cthulhu, also known as Thomas White, who has released similar dumps of data from other breaches including Ashley Madison and Myspace. White wrote he wanted to keep the Dropbox data public "for those who are struggling to find a reliable source for research." News surfaced last month regarding the 2012 breach of 68 million Dropbox accounts. Shortly after the breach was made public, an active phishing campaign, apparently based on that data, was detected by security researchers at AppRiver, the cloud cybersecurity firm headquartered in Gulf Breeze, Fla., which wrote in a blog post they discovered "a malware-based phishing blast that attempts to impersonate itself as a Dropbox notification email."
  • Apple is taking a much harder line and will soon block new certificates issued by WoSign, the China-based certificate authority, from being trusted in both iOS and macOS. The new policy by Apple followed Mozilla's report on its investigation into questionable actions by WoSign, including the backdating of SHA-1 certificates. In the updates, Apple wrote: "Certificate Authority WoSign experienced multiple control failures in their certificate issuance processes for the WoSign CA Free SSL Certificate G2 intermediate CA. Although no WoSign root is in the list of Apple trusted roots, this intermediate CA used cross-signed certificate relationships with StartCom and Comodo to establish trust on Apple products." The changes will be made in an upcoming security update to iOS and macOS, and "Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA."
  • AT&T is joining with Amazon in a new, multi-year strategic alliance agreement intended to optimize the delivery of integrated solutions using AT&T's network and Amazon's AWS cloud services. According to the press release from AT&T, the alliance will focus on business cloud networking, IoT and threat management. "In order to deliver even more advanced networking capabilities to customers, AT&T and AWS will work together to identify new solutions with security, performance and mobility in mind. Emphasis will be placed on enhancing end-to-end customer visibility across more highly secure and high-performing network connections, allowing for faster and more automated decision-making capabilities to the customer."
  • Victims of the Polyglot (a.k.a. MarsJoke) ransomware now have a decryption tool available from Kaspersky Lab. The Kaspersky press release said: "The Polyglot ransomware mimics CTB-Locker in nearly every way. It has an almost identical graphics interface, a similar sequence of actions are required to obtain the decryption key, and the payment page, desktop Wallpaper, etc., all look the same. The creators of Polyglot apparently thought that by mimicking CTB-Locker they could trick users and make them think they are suffering from serious malware, leaving them with no option other than to pay the criminals." Unlike CTB-Locker, however, the Polyglot ransomware "uses a weak encryption key generator. A brute-force search through the whole set of possible Polyglot decryption key variants can be performed in less than a minute on a standard PC. Discovering this weakness allowed Kaspersky Lab experts to develop a tool that can help to unlock users' data."

Next Steps

Find out more about whether Android Nougat has improved security.

Learn about how Android Nougat has evolved to appeal to enterprises.

Read more about how Android N improves enterprise device security.

Dig Deeper on Alternative operating system security

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

How can Android security bulletins better serve Android users who aren't using Google Android devices?
Cancel
What you can ATTEMPT is ENSURING the CELL PHONE CARRIER ( i.e. BOOST, NET 10 etc PUSHING THE UPDATE TO THE USERS PHONE VIA A NOTIFICATION THAT THEY SHOULD download the patches as soon as possible or go the distance and send an email of high priority to the users INBOX.
The logic being.." they bought a phone, they gave you. The revenue, it's the RIGHT THING TO DO and WARNING THEM OF THE IMPLICATIONS if they don't.
Me myself, stumbled across this forum but being one in data services for over 30 years BACK to the IBM 4300 and AS 400 I felt compelled to contribute as me, as a user wonders " how do I get the patch". Normally CERT WOULD PROVIDE ME WITH THE INFO about ANY vulnerability and where and what to do about it.
I.E.- the TELNET port 23 remote CODE execution issue.
Cancel
The sad part, MainFrame1962, is there is little incentive for carriers to do anything to extend the useful life of devices routinely replaced after just two years in service.

As much as we, as consumers, might expect a vendor to provide security updates to the devices they sell, I'm not going to hold my breath for that to happen.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close