Security

Android Security Bulletin December 2016: What you need to know

Although there are no new Critical vulnerabilities in the Android December 2016 Security Bulletin, there are plenty of flaws to be found this month. Get the highlights.

androidsecurity.jpg
Image: iStock/Kirill_Savenko

How did Android fare in the December 2016 Security Bulletin? Thankfully, the platform dodged the Critical bullet this month. Even so, there are plenty of vulnerabilities, including six Critical issues from previous bulletins, one of which is related to the Dirty Cow vulnerability found in the Linux kernel; as you probably suspect, the Mediaserver is part of the fun. Let's dive in and see what's what.

SEE: Google patches Dirty Cow vulnerability in latest Android security update (ZDNet)

Check your security release

Before we highlight what's included with the December 2016 Android Security Bulletin, it's always good to know what security release your device has installed.

Of the Android devices I use regularly, the Verizon-branded Nexus 6 running Android 7.0 is two updates behind with the October 2016 security update (Figure A), and my OnePlus 3 is now up to the November 2016 security update (Figure B). Nexus devices, as well as the new Pixel phones, will always be ahead of the curve for the security patches, and the OnePlus 3 has been discontinued so updates may be much slower to arrive.

Figure A

Figure A

The Nexus 6 running Android 7 and October's security patch.

Figure B

patchnew.jpg
My OnePlus 3 bumped up to the November 2016 patch.

To find out which security release is installed on your device, open Settings, scroll down and tap About Phone, and then look for Android Security Patch Level. If you see an older security patch level, fret not...a new one will appear in an update soon. Android 7.1.1 is due out by the end of December; my guess is the security patches should arrive with that update.

With that said, let's dive into what's new for December.

High issues

Remote code execution vulnerability in CURL/LIBCURL

The CURL and LIBCURL (the command-line tool for transferring data using various protocols) libraries contain a vulnerability that could enable a man-in-the-middle attack, using a forged certificate, to execute arbitrary code within the context of a privileged process. Due to the attacker needing a forged certificate, this vulnerability is rated as High.

Related bugs: A-31271247, A-31271247, A-31271247

Elevation of privilege vulnerability in libziparchive

The libziparchive library includes an elevation of privilege vulnerability that could allow for a malicious application to execute arbitrary code within the context of a privileged process. Due to the vulnerability's ability to gain local access to elevated capabilities not normally accessible to third-party apps, this is rated as High.

Related bug: A-31251826

Denial of service vulnerability in Telephony

The possibility of a permanent denial of service could occur because of a vulnerability found in the Telephony subsystem. This issue could use a malicious file to cause a device to hang or automatically reboot. Due to the possibility of a denial of service attack, this vulnerability is rated as High.

Related bug: A-31530456

Denial of service vulnerability in Mediaserver

The vulnerability that keeps on giving, Mediaserver is back with a number of bugs that can cause a denial of service issue. This vulnerability could enable an attacker to use a malicious file to cause a device to hang or reboot. Due to the possibility of a denial of service attack, this vulnerability is rated as High. Note: Google devices running Android 7 are not affected by this issue.

Related bugs: A-31318219, A-31449945, A-31681434, A-31833604

Remote code execution vulnerability in the Framesequence library

The Framesequence library contains a vulnerability that can enable an attacker, using a malicious file, to execute arbitrary code in the context of an unprivileged process. Due to the possibility of remote code execution, this issue is rated as High.

Related bug: A-31631842

Moderate issues

Elevation of privilege vulnerability in Smart Lock

The Android Smart Lock system contains an elevation of privilege vulnerability that could enable a user to access the settings for the feature without using a PIN. Due to the requirement of the attacker to have physical access to the device, this issue is rated as Moderate.

Related bug: A-29055171

Elevation of privilege vulnerability in the Framework APIs

The Framework APIs—which are a set of APIs that allow developers to quickly and easily write apps for Android phones—contain a vulnerability that could enable a local malicious application to access functions beyond its normal access level. Due to the possibility of bypassing local restrictions within a contained process, this vulnerability is rated as Moderate.

Related bug: A-30202228

Elevation of privilege vulnerability in Wi-Fi

The Wi-Fi subsystem contains a vulnerability that could enable a local malicious app to execute arbitrary code with the context of a privileged process. Due to the vulnerability needing to first compromise a privileged process, this issue is rated as Moderate.

Related bug: A-31856351

Information disclosure vulnerability in package manager

The Android package manager contains a vulnerability that could enable a local malicious app to bypass system protections that isolate application data. Due to the requirement of first having to compromise a privileged process, this vulnerability is rated as Moderate.

Related bug: A-31251489

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

To see the full listing of vulnerabilities, check out the Android December Security Bulletin.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox