Google announced its last regularly scheduled security patch update for Android in 2016 on Dec. 5, patching no less than 74 different vulnerabilities in the mobile operating system. The December vulnerability patch count is an improvement over the 83 vulnerabilities patched by Google in the November Android security update.
As has been the case in recent months, Google is splitting out the Android update into two different patch levels to help vendors deliver updates quickly. The 2016-12-01 level is a partial security patch string, while 2016-12-015 is the complete security patch level.
In total across all patch levels, there are 11 vulnerabilities that are rated by Google as being critical, which is the highest severity level in Google’s vulnerability ranking system.
Of the 11 critical vulnerabilities, six are found in NVIDIA drivers. Three of the critical flaws (CVE-2016-6775, CVE-2016-6776 and CVE-2016-6777) are privilege escalation flaws in the NVIDIA GPU driver, while the other three (CVE-2016-6915, CVE-) are privilege escalation flaws in the NVIDIA video driver. The December NVIDIA critical flaw updates follow seven prior issues that Google patched with NVIDIA android drivers in November.
The December Android update also has a critical patch identified as CVE-2106-8411 that Google refers to as, vulnerabilities in Qualcomm components. In addition to the critical Qualcomm vulnerability, there are seven additional vulnerabilities in Qualcom components rated as having high severity and three with moderate severity.
Qualcomm components have been a source of multiple security update in Android over the course of 2016, including the Quadrooter flaws that were publicly detailed at the DefCon security conference in August.
Also of note, are more updates for Android’s much maligned mediaserver framework. For the December update there are four Denial of Service (DoS) vulnerabilities in media server rated as high, and an information disclosure vulnerability that has a medium severity rating.
Android’s media server and related libraries have been under scrutiny from security researchers since June 2015, when the first Stagefright flaw was revealed.
As has also been the case in recent Android updates, Google is now providing patches for issues previously fixed in the upstream Linux kernel. In the December update there are two critical patches (CVE-2016-4794 and CVE-2016-5195) for privilege vulnerability issues in the kernel memory subsystem. patched by the Linux community earlier this year.
Among the other interesting flaws patched by Google is a privilege escalation issue identified as CVE-2016-6769 in the Android Smart Lock feature.
“An elevation of privilege vulnerability in Smart Lock could enable a local malicious user to access Smart Lock settings without a PIN,” Google warns in its advisory. “This issue is rated as Moderate because it first requires physical access to an unlocked device where Smart Lock was the last settings pane accessed by the user.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist