Google has released an unusually hefty Android Security Bulletin for July. In fact, so many vulnerabilities have been fixed – 108 in all – that the patches come in two levels.
The first one, 2016-07-05, includes patches for vulnerabilities found in Android OS.
Among these are seven critical RCE flaws affecting the Mediaserver component, which can be triggered via email, web browsing, and MMS, by making the component process specially crafted media files, and a RCE flaw in OpenSSL and BoringSSL that can also be triggered with a specially crafted file.
The rest are mostly elevation of privilege and information disclosure vulnerabilities in a variety of services, libraries, Bluetooth, and the Framework APIs.
The second security patch level – 2016-07-05 – contains patches for the aforementioned vulnerabilities AND for device specific ones.
Among these are mostly elevation of privilege vulnerabilities affecting Qualcomm, NVIDIA and MediaTek drivers and components, and some kernel flaws.
None of the fixed flaws can be misused to break Android’s Full-Disk Encryption (FDE).
Also, there is no indication that any of the fixed issues are being exploited or abused in attacks in the wild.
“This bulletin has two security patch level strings in order to provide Android partners with the flexibility to move more quickly to fix a subset of vulnerabilities that are similar across all Android devices,” Google explained the why of two patch levels strings.
“Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level string.”
As always, users of smartphones running Android but are not manufactured by Google will have to wait for their manufacturer or carriers to push out the patches.