CVE-2016-5195, Plenty of Flaws Fixed in Android's December Bulletin - How to, Technology and PC Security Forum | SensorsTechForum.com

CVE-2016-5195, Plenty of Flaws Fixed in Android’s December Bulletin

android-bug-stforum

Dirty Cow may sound like someone’s favorite insult but it’s actually Google’s latest Android vulnerability addressed in the corresponding security update. This particular fix comes along with 49 flaws, 11 of which are rated critical fixes.

Related: Do You Need Antivirus Software on Android, iOS and Windows Phone?

The security bulletin, released on December 5, contains details of security flaws that endanger Android devices. In addition to the bulletin, Google has also released a security update through an “over-the-air” (OTA) update.

The Google device firmware images have also been released to the Google Developer site. Security patch levels of December 05, 2016 or later address all of these issues.

More about the December Security Bulletin for Android

Google says that the most severe of the issues are critical flaws in device-specific code that could lead to arbitrary code execution in the kernel. This could cause a local permanent device compromise, which may require reflashing the OS to fix the device.

Dirty Cow a.k.a. CVE-2016-5195

This particular flaw has been located in the kernel as well as Linux distributions for almost ten years. The security flaw could allow attackers to obtain root privileges via a race condition bug and then gain write-access to read-only memory. The vulnerability was patched in both the kernel and Linux in October. However, Android devices had to wait for a fix, and unfortunately there have been exploit kits leveraging the issue in the wild.

Besides Dirty Cow, another root privilege flaw was addressed – CVE-2016-4794.

Other privilege escalation flaws were also found and fixed in the kernel and the kernel’s ION driver, together with the HTC sound codec driver and MediaTek driver. Other components were also affected by privilege escalation issues: the kernel security and kernel performance subsystems, MediaTek I2C driver, Synaptics touchscreen driver and Broadcom Wi-Fi driver.

Related: BIND Vulnerability CVE-2016-2776 Could Cause DoS Attacks

A denial-of-service flaw was also addressed in the Android GPS system, as well as several information disclosure flaws in kernel components.

Qualcomm Component Bugs Also Fixed

More particular, a privilege escalation bug and information leaks were addressed in the December bulletin. A Telephony denial of service (TDos) vulnerability and a remote execution flaw were also handled in the Android Framesequence library.

Google has thanked multiple researchers from different companies such as Alibaba Mobile Security Group, Qihoo 360, Tencent, Baidu X-Lab and TrendMicro. Apparently, no tech giant could survive on its own in the jungle of exploits.

For full technical disclosure of all the flaws addressed in the bulletin, go to Android’s page.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Newsletter
Subscribe to receive regular updates about the state of PC Security and latest threads.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.