Google fixed Android vulnerabilities
Google has released an update for Android called Android Security Bulletin — December 2016 , which fixes multiple vulnerabilities in this OS, as well as vulnerabilities in its third-party components from NVIDIA, MediaTek, HTC and Qualcomm. For example, in the HTC audio codec driver component, three vulnerabilities like Local Privilege Escalation (LPE) were fixed that could be used by attackers to run malicious code in Android kernel mode. Correction subject to the device Google Nexus 9.
It should be noted that this time there was not a single critical Android vulnerability fixed that could be used to remotely execute code with elevated privileges, for example, using the sad Mediaserver component responsible for processing multimedia files.
')
At the same time, the update closes a number of critical LPE vulnerabilities in the kernel and its components. These vulnerabilities are listed below in the table and obtained Critical status because they can be used to install malicious code on a device with maximum root rights, which, in turn, can lead to a device reflashing to completely remove this code.
Among the critical LPE vulnerabilities in the Android kernel, two of them with the identifiers CVE-2016-4794 and CVE-2016-5195 are present in the kernel virtual memory manager. At the same time, an attacker can launch an exploit locally in Android and install root code on the device, which may result in a device flashing to remove it. Updates are subject to smartphones Pixel C, Pixel, Pixel XL, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player.
Similar LPE vulnerabilities are present in the NVIDIA video driver and allow attackers to root the device. Nexus 9 and Pixel C smartphones are subject to update.
Samsung also pleased its users with the Android update by releasing the SMR-DEC-2016 newsletter. Most of the Samsung vulnerabilities fixed are of Low importance status and only a few of them with identifiers SVE-2016-6978, SVE-2016-7661, SVE-2016-7662 (OMACP Security Issue), and also SVE-2016-7341 (Heap overflow in sensor driver) are of type Medium.
We encourage users to update their Android devices.
be secure.
It should be noted that this time there was not a single critical Android vulnerability fixed that could be used to remotely execute code with elevated privileges, for example, using the sad Mediaserver component responsible for processing multimedia files.
')
At the same time, the update closes a number of critical LPE vulnerabilities in the kernel and its components. These vulnerabilities are listed below in the table and obtained Critical status because they can be used to install malicious code on a device with maximum root rights, which, in turn, can lead to a device reflashing to completely remove this code.
Among the critical LPE vulnerabilities in the Android kernel, two of them with the identifiers CVE-2016-4794 and CVE-2016-5195 are present in the kernel virtual memory manager. At the same time, an attacker can launch an exploit locally in Android and install root code on the device, which may result in a device flashing to remove it. Updates are subject to smartphones Pixel C, Pixel, Pixel XL, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player.
Similar LPE vulnerabilities are present in the NVIDIA video driver and allow attackers to root the device. Nexus 9 and Pixel C smartphones are subject to update.
Samsung also pleased its users with the Android update by releasing the SMR-DEC-2016 newsletter. Most of the Samsung vulnerabilities fixed are of Low importance status and only a few of them with identifiers SVE-2016-6978, SVE-2016-7661, SVE-2016-7662 (OMACP Security Issue), and also SVE-2016-7341 (Heap overflow in sensor driver) are of type Medium.
We encourage users to update their Android devices.
be secure.
Source: https://habr.com/ru/post/316960/
All Articles