October's Android Security Bulletin patches 78 vulnerabilities

Google patches 78 vulnerabilities, including half a dozen critical flaws -- but none exploited in the wild -- in two patch levels in October's Android Security Bulletin.

The Android mobile operating system received patches for 78 vulnerabilities in this month's Android Security Bulletin from Google, including six critical and 47 high-severity vulnerabilities that enable everything from remote code execution to elevation of privilege, denial of service and disclosure of information.

The Android Security Bulletin included information on all the vulnerabilities, which were patched in an over-the-air update for Android's Nexus devices. Android partners received notification of the security issues in the bulletin on or before Sept. 6, Google wrote, adding that source code patches were posted to the Android Open Source Project repository, where applicable.

"The most severe of these issues are critical security vulnerabilities in device-specific code that could enable remote code execution within the context of the kernel, leading to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device," the bulletin read. "We have had no reports of active customer exploitation or abuse of these newly reported issues."

This Android Security Bulletin split patches for the 78 vulnerabilities into two separate patch levels to simplify management of the fixes for Android manufacturers. Patch level 2016-10-01 includes fixes for flaws in core Android components, drivers and services, which should be implemented as soon as possible by all OEM Android manufacturers. This patch level addresses 15 high-severity and five moderate-severity vulnerabilities.

The second patch level, 2016-10-05, addresses vulnerabilities in Android components that may not be included in all Android devices. This patch level, which encompasses fixes for 58 vulnerabilities in all, includes fixes for six critical vulnerabilities.

The most severe bugs in this Android Security Bulletin include CVE-2016-0758, an elevation of privilege vulnerability in the Linux kernel's ASN.1 decoder as well as two flaws -- CVE-2016-7117 and CVE-2016-5340 -- which could enable a local malicious application to remotely execute arbitrary code through flaws in the kernel networking subsystem and kernel shared memory driver, respectively. These vulnerabilities were given critical severity ratings "due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device." Other critical severity vulnerabilities that were patched include a flaw in the MediaTek video driver and three vulnerabilities that affect Qualcomm components.

In other news

  • Dropbox users may want to take special care as new reports indicate 2012 breach data is now available, for free, courtesy of the cybersecurity researcher The Cthulhu, also known as Thomas White, who has released similar dumps of data from other breaches including Ashley Madison and Myspace. White wrote he wanted to keep the Dropbox data public "for those who are struggling to find a reliable source for research." News surfaced last month regarding the 2012 breach of 68 million Dropbox accounts. Shortly after the breach was made public, an active phishing campaign, apparently based on that data, was detected by security researchers at AppRiver, the cloud cybersecurity firm headquartered in Gulf Breeze, Fla., which wrote in a blog post they discovered "a malware-based phishing blast that attempts to impersonate itself as a Dropbox notification email."
  • Apple is taking a much harder line and will soon block new certificates issued by WoSign, the China-based certificate authority, from being trusted in both iOS and macOS. The new policy by Apple followed Mozilla's report on its investigation into questionable actions by WoSign, including the backdating of SHA-1 certificates. In the updates, Apple wrote: "Certificate Authority WoSign experienced multiple control failures in their certificate issuance processes for the WoSign CA Free SSL Certificate G2 intermediate CA. Although no WoSign root is in the list of Apple trusted roots, this intermediate CA used cross-signed certificate relationships with StartCom and Comodo to establish trust on Apple products." The changes will be made in an upcoming security update to iOS and macOS, and "Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA."
  • AT&T is joining with Amazon in a new, multi-year strategic alliance agreement intended to optimize the delivery of integrated solutions using AT&T's network and Amazon's AWS cloud services. According to the press release from AT&T, the alliance will focus on business cloud networking, IoT and threat management. "In order to deliver even more advanced networking capabilities to customers, AT&T and AWS will work together to identify new solutions with security, performance and mobility in mind. Emphasis will be placed on enhancing end-to-end customer visibility across more highly secure and high-performing network connections, allowing for faster and more automated decision-making capabilities to the customer."
  • Victims of the Polyglot (a.k.a. MarsJoke) ransomware now have a decryption tool available from Kaspersky Lab. The Kaspersky press release said: "The Polyglot ransomware mimics CTB-Locker in nearly every way. It has an almost identical graphics interface, a similar sequence of actions are required to obtain the decryption key, and the payment page, desktop Wallpaper, etc., all look the same. The creators of Polyglot apparently thought that by mimicking CTB-Locker they could trick users and make them think they are suffering from serious malware, leaving them with no option other than to pay the criminals." Unlike CTB-Locker, however, the Polyglot ransomware "uses a weak encryption key generator. A brute-force search through the whole set of possible Polyglot decryption key variants can be performed in less than a minute on a standard PC. Discovering this weakness allowed Kaspersky Lab experts to develop a tool that can help to unlock users' data."

Next Steps

Find out more about whether Android Nougat has improved security.

Learn about how Android Nougat has evolved to appeal to enterprises.

Read more about how Android N improves enterprise device security.

Dig Deeper on Alternative operating system security