Android 7.1.1 is ready to install for Nexus and Pixel devices, bringing with it features previously available only to Pixel devices and the December patch, which fixes 40 issues covering 74 vulnerabilities.
As with previous months, the December patch is split into two security patch levels. The partial security patch level, 2016-12-01, addresses 11 issues, while the complete patch level, 2016-12-05, fixes 29 issues.
Among the partial patch level includes a fix for an elevation of privilege flaw affecting Google’s Smart Lock, a login security feature that keeps an Android phone unlocked if it’s connected to a user’s smart watch. The bug could allow an attacker to change Smart Lock settings, however Google rates it a moderate threat since the attacker would need physical access to a device where the last thing done to the settings panel was a change to Smart Lock. The bug affects all versions of Android below Android 7.0 Nougat.
A more serious threat is an issue in the CURL/LIBCURL libraries that affect Android, covering a trio of bugs that exposed Linux distributions such as Red Hat, Debian and Ubuntu to forged digital certificate attacks. On Android, it could allow for remote code execution.
“The most severe issue could enable a man-in-the-middle attacker using a forged certificate to execute arbitrary code within the context of a privileged process. This issue is rated as High due to the attacker needing a forged certificate,” Google notes in the advisory.
Overall, the partial patch level addresses four high impact issues via 10 individual vulnerabilities, as well as six moderate issues across six vulnerabilities. There were no critical issues in the partial patch.
The much larger complete December patch level fixes six critical issues spanning 11 vulnerabilities, 17 high impact issues across 33 vulnerabilities, and 5 moderate issues covering 14 vulnerabilities.
Most of the critical bugs are elevation of privilege flaws affecting the Linux kernel memory subsystem, the Nvidia GPU driver, the Linux kernel, the Nvidia video driver, and the kernel ION driver. There are also “vulnerabilities in Qualcomm components”.
Each of the critical bugs could allow a malicious application on a device to execute arbitrary code within the kernel. Google rates them critical since each could result in a local permanent device compromise, which may necessitate re-flashing the OS to repair a device.
The only critical issue affecting Google’s new Pixel and Pixel XL are two vulnerabilities that make up the kernel memory subsystem issue. The issue also affects the Pixel C, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, and Nexus Player.
The December patch also mops up a number of old Qualcomm driver bugs. A high severity issue caused by four vulnerabilities in Qualcomm media codes, originally reported in June and July, also affects the Pixel and Pixel XL. These could allow a malicious app installed on a device to execute arbitrary code within a privileged process.
Other bugs that impact Pixel handsets include a trio of high severity Qualcomm sound driver vulnerabilities, and elevation of privilege flaws in the Linux kernel security subsystem and the Synaptics touchscreen driver, as well as a denial of service bug in the Qualcomm GPS component.
Google has also updated its Android distribution figures for December. It’s been just over four months since Google released Android 7.0 Nougat. As of December 5, it is installed on 0.4 percent of Android devices that connect to the Google Play app store, up from 0.3 percent last month.
- Application security testing growing in Australia but skills gap limits its scope
- CISOs sidelined as Australia’s buoyant IT-security jobs market focuses on consultants
- Google drops “Android for Work” because plain Android is so secure
- NIST to add over 200,000 Android and iOS apps to forensics toolkit
- Reviewing December’s SAP Security update.