In its June Android update, released on June 7, Google has fixed 40 vulnerabilities, eight of which are rated critical. Once again, the security update includes a familiar set of flaws, with media server issues and Qualcomm drivers topping the list.
In fact, six of the eight critical issues were found in Qualcomm drivers: CVE-2016-2062, CVE-2016-2464, CVE-2016-2465, CVE-2016-2466, CVE-2016-2467 and CVE-2016-2468. The flaws were found in the Qualcomm video, sound, GPU and WiFi driver components that are integrated with hundreds of millions of Android devices. All six vulnerabilities are privilege escalation issues that could potentially enable a malicious application to execute arbitrary code.
Google also once again had to patch vulnerabilities in its much maligned media server component. In the June update, Google patched 15 vulnerabilities in media server, including one critical remote code execution vulnerability (CVE-2016-2463), 12 high-impact privilege escalation flaws, one high-impact denial-of-service flaw (CVE-2016-2495) and a moderate impact information disclosure vulnerability (CVE-2016-2500).
The media server component is in the same part of the Android operating system as the libstagefright media server that was first exposed to risk in July 2015 and has been patched in every Google update since August 2015. In the May Android update, Google patched seven vulnerabilities in media server. For the upcoming Android N release, Google has pledged to rearchitect the media server system to improve security.
With the 40 vulnerabilities fixed in the June update, Google has now patched at least 163 vulnerabilities so far in 2016. A key challenge, however, is getting handset vendors to implement all those patches and making them available to end users.
Google's supported Nexus phones all get the Android updates relatively quickly after each monthly update is issued, but other Android phones have not been quite as fortunate. Google is now working on a plan to publicly pressure handset vendors that don't make updates available quickly for end users and is planning to integrate a more robust updating system that helps keep devices up to date with patching.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.