Skip to main content

Google Fixes Dozens Of Security Vulnerabilities In Android October Update, But Many Users Remain Left Out

Android 7.0 may have brought many security improvements, but all code can be vulnerable to bugs. In its security patch for October, Google seems to have fixed dozens of bugs with most being of “High” severity, and a few “Critical” ones. However, because only Nexus users and owners of a few other smartphone models will receive this update, most users should remain vulnerable to all of the discovered vulnerabilities.

Many New Bugs Despite Architecture Enhancements

Android 7.0 “Nougat” brought multiple security enhancements and features this year. The new OS comes with improved file-based encryption, a strictly verified boot process, mandatory hardware-backed keystore, a universal and unmodifiable certificate store, and more modular and sandboxed media capabilities (to avoid Stagefright-level vulnerabilities in the future).

Despite all of these security improvements, there have already been dozens of bugs fixed in last month’s security update, and this month there seem to be even more security fixes as Google came closer to releasing its Pixel phones. Most of the bugs do seem to involve core Android components, but many of them are also vendor specific. Qualcomm, especially, seems to have been hit with multiple “High” severity bugs that could’ve given attackers elevated privileges.

“Critical” Bugs

The most dangerous, “Critical”-level bugs include three remote execution vulnerabilities in the kernel, one in MediaTek’s video driver, and three critical bugs that strangely enough don’t seem to have any description of what they do in “Qualcomm components.”

It’s likely that the three vulnerabilities are related to the QuadRooter vulnerability, which was revealed this summer but uncovered in spring (when Qualcomm was also notified about it).

“High” Severity Bugs

A few more high-severity elevation of privilege vulnerabilities were uncovered in other components of Qualcomm’s software stack, including in its crypto engine, sound, video, camera, QSEE (Qualcomm Secure Execution Environment), and networking drivers.

A few high severity bugs in their drivers hit Nvidia and MediaTek as well, but not nearly as much as Qualcomm (it’s also possible Google didn’t analyze their drivers as thoroughly as it did Qualcomm’s).

Stagefright mediaserver library vulnerabilities also make a comeback. One “moderate” severity bug could allow an attacker to access sensitive information without permission, while another high severity one could cause denial of service attacks that could create hanging or phone reboots. Three other high severity mediaserver bugs that affect Android versions 4.4.4-7.0 could also allow an attacker to execute arbitrary code.

Google found a few more elevation of privilege and denial of service vulnerabilities in the core components of Android, such as ServiceManager, Lock Settings Service, the Zygote process, framework APIs, Telephony, Camera service, fingerprint login, AOSP mail, Wi-Fi, GPS, and the Accessibility services.

Most Users Left Out Of Security Patches

Despite Android being “only” a mobile operating system, the codebase is already quite large now, so many vulnerabilities will continue to be found, especially right after a major new release. Android is not alone; Apple fixed around 100 iOS bugs in one go as well in the past.

With the new monthly update schedule, the vulnerabilities aren’t as big of an issue as they would’ve been otherwise, at least for Nexus/Pixel devices and a few other large smartphone makers that have committed to the monthly security updates However, the bigger danger is to those users that may never get these patches, which includes the majority of the Android user base. This will continue to be Android’s biggest weakness for the foreseeable future.

  • thundervore
    This is the main reason Google needs to take the Android phones out of the hands of manufactures and carriers.

    As we are now a phone only receives 1 OS update then forgotten. The time it takes to receive that update is months because it have to go to the manufacturer first who injects bloatware, then the manufacturer gives it to the carrier who injects their own bloatware and gives it to the customer.

    By the time a phone on the market for 18 months gets an OS upgrade the next model is already out and the manufactures are focusing on the new model. So the only way to get upgrades seems to be to buy a new phone or rooting and installing third party roms.

    The Pixel line is a step in the right direction where the phones are made for Google and Google do what ever they want similar to how Foxcon makes the phones for Apple and Apple do what ever they want.
    Reply
  • ohim
    Apple and Microsoft addresses these updates on all certified phones while on Android once you bought the phone there is little chance that you`ll ever get an update, not to talk about a 2nd or 3rd one. And yet Android it`s the most popular platform out there... people in general seems to like messy things.
    Reply
  • p8ball4life
    The guy below was close, but didn't quite drive it home. Convincing consumer to upgrade yearly, or even every other year, is increasingly difficult for carriers and manufacturers. There is no incentive for them to provide long term updates when they can use security as a selling point for the latest model.
    Reply
  • bloodroses
    I'd hope that Pixel would be a step in the right direction, but with Google's track record I'd say that it wont. Google already had an official phone line (Nexus), but they dropped it.

    http://arstechnica.com/gadgets/2016/10/google-no-plans-for-future-nexus-devices/
    Reply
  • thundervore
    18688585 said:
    I'd hope that Pixel would be a step in the right direction, but with Google's track record I'd say that it wont. Google already had an official phone line (Nexus), but they dropped it.

    http://arstechnica.com/gadgets/2016/10/google-no-plans-for-future-nexus-devices/

    The problem with the Nexus phones was that they lacked what others offered.
    - No expandable storage
    - lame camera resolution
    - no wireless charging

    They now have the opportunity to drop the entire line and start fresh with specs on par with the heavy hitters. Best of all there will be no OEM branding on the outside of the phone.
    Reply
  • captaincharisma
    18688700 said:
    18688585 said:
    I'd hope that Pixel would be a step in the right direction, but with Google's track record I'd say that it wont. Google already had an official phone line (Nexus), but they dropped it.

    http://arstechnica.com/gadgets/2016/10/google-no-plans-for-future-nexus-devices/

    The problem with the Nexus phones was that they lacked what others offered.
    - No expandable storage
    - lame camera resolution
    - no wireless charging

    They now have the opportunity to drop the entire line and start fresh with specs on par with the heavy hitters. Best of all there will be no OEM branding on the outside of the phone.

    nexus phones were not about having the best features. they were meant to be feature rich phones with no bloatware, and can be found at a low price (the price on the last 2 was really high though). some nexus phones had wireless charging and phones like the nexus 6P have a camera comparable to the camera on the iphone 7 and expandable storage has never been a big issue as much as the trolls make it out to be. if you are looking for security in the android world you could always get it from nexus phones because of the fast updates and even when google stops updating the phone after a few years its easy to put a custom rom on it that will still keep it up to date

    Reply
  • John Wittenberg
    CAPTAINCHARISMA, not everyone lives in an area where they have constant a cell phone signal, or even a decent signal that can transmit data (T-mobile's edge network).

    Expandible storage and replaceable batteries are a must for folks like me - why label us as trolls?
    Reply
  • bloodroses
    I do have to agree that non-expandable storage is a deal breaker for me in a phone since I use mine as my personal mp3 player as well.

    With the replaceable battery, it's also fairly important as my Note Edge would be brick right now if I couldn't replace it. There was a bug in Android 5.01 where it would chew through a 100% battery in less than 30 minutes when signal was lost. Needless to say, my previous battery is completely toast to where even a booster couldn't even start the phone.
    Reply
  • Kimonajane
    "and three critical bugs that strangely enough don’t seem to have any description of what they do in “Qualcomm components.”
    Those are the ones they put in for the NSA, you know like the back-doors that MS puts into their NSA co-authored OS's. Wouldn't surprise me at all.
    Reply
  • Gilles_2
    Pixel is a failure before even starting, it costs more and offer less or equal to direct competitors, Google thinks it has Apple image and fanbase, we're gonna see a big fall now
    Reply