It's that time again! Google has released the Android Security Bulletin, and I'm here to give you the highlights reel.
Google began releasing the Android Security Bulletin back in August 2015. The point of the monthly security update was to keep those interested in the know about the updates arriving over the air to their devices. With this bulletin you can start to better understand the fundamentals of mobile security and the security architecture of the Android platform. Each month a new bulletin is released that details the security updates sent to eligible devices. Most of the updates roll out to Nexus devices first. Post-Nexus, OEMs and carriers then roll out the updates to the various devices.
With that said, what are the highlights of the April 2016 Android Security Bulletin? Let's take a look.
Critical: Remote Code Execution Vulnerability in DHCPCD
This vulnerability, found within the Dynamic Host Configuration Protocol service, could enable an attacker to cause memory corruption, which could then lead to remote code execution. Because of the possibility of remote code execution, this issue is rated as Critical severity. This bug particularly affects IPv6 Router Advertisement processing, causing it to crash.
Critical: Remote Code Execution Vulnerability in Media Codec/Mediaserver
This allows vulnerabilities in a media codec to process a specially crafted file in such a way to allow an attacker to cause memory corruption and remote code execution. This affected functionality is a core part of the operating system, and multiple applications are made vulnerable (in particular, MMS and media playback within a browser). This issue has been flagged as critical due to the possibility of remote code execution of audio and video streams and because the mediaserver has access to privileges that third-party apps cannot normally access.
Critical: Remote Code Execution Vulnerability in libstagefright
Looks like StageFright wanted a curtain call. This vulnerability allows an attacker to cause memory corruption and remote code execution within the mediaserver process (specifically through the execution of media through MMS), thanks to libstagefright. The issue was found to affect four files:
Critical: Elevation of Privilege Vulnerability in Kernel
When the word kernel is used, you can always bet it's serious. In this case, the vulnerability, caused by an elevation of privilege in the kernel, could enable a local malicious application to execute arbitrary code...and do so within the kernel. Because of the possibility of permanent compromise, an affected device would have to be re-flashed to resolve the issue. For more information, check out the Android Security Advisory 2016-03-18.
High: Elevation of Privilege Vulnerability in Telecom Component
This vulnerability could lead to an elevation of privileges in the Telecom Component, which could enable an attacker to make calls appear to come from any arbitrary number. Because this vulnerability could be used to access elevated capabilities and privileges through Signature or SignatureOrSystem, it is rated as high.
High: Elevation of Privilege Vulnerability in Download Manager
This vulnerability also uses capabilities, such as Signature or SignatureOrSystem, to take advantage of a privilege vulnerability in the Download Manager and enable an attacker to gain access to unauthorized files in private storage. Neither Signature nor SignatureOrSystem cannot access third-party applications, which is why this vulnerability was not labeled as critical.
High: Elevation of Privilege Vulnerability in Bluetooth
This vulnerability affects the Bluetooth system in such a way as to allow an untrusted device to pair with the phone (but only during initial pairing process). This could allow the untrusted device to gain access to the phone's resources such as the internet connection.
Because the vulnerability can allow an untrusted device to gain elevated capabilities, it is rated as high. This vulnerability was originally discovered in the Porsche car-kit pairing workaround.
High: Denial of Service Vulnerability in Minikin
Here we have a denial of service vulnerability found in the Minikin library that could allow a local attacker to temporarily block access to an affected device. The vulnerability allows an attacker to cause an untrusted font to be loaded; this would force an overflow in the Minikin component, which would lead to a crash.
This vulnerability is rated as high because a denial of service would lead to a continuous reboot loop.
Moderate: Elevation of Privilege Vulnerability in Wi-Fi
Looks like the Signature and SignatureOrSystem permissions privileges are the big winner this month. This vulnerability would allow an elevation of privilege in Wi-Fi that could enable a local malicious application to execute arbitrary code. This vulnerability is directly related to Certificate Authorities and affects only those added for the operating system (not individual apps or wireless).
Moderate: Information Disclosure Vulnerability in AOSP Mail
This vulnerability affects Android Open Source Project (AOSP) Mail clients and could enable a local malicious application to gain access to a user's private information. This vulnerability is rated as moderate because it could be used to improperly gain "dangerous" permissions, which could then hand over private information to the attacker.
The more you know...
To see if your device has been issued the latest security patch, go to Settings | About Phone and then look for Android Security Patch Level, where you will see a date indicating your current patch level (Figure A).
A Verizon-branded Nexus 6 showing the April 2016 patch has yet to arrive.
- Android N: Here's what's inside the latest developer release (ZDNet)
- Don't sideload Android apps from untrusted sources (TechRepublic)
- How to use the ProtonMail encrypted email service on Android (TechRepublic)
- How to find out your Android Marshmallow Security Patch level (TechRepublic)
- Android Security Update March 2016: What you need to know (TechRepublic)
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.