BlackBerry

BlackBerry release BlackBerry Priv April Security Upgrade

BlackBerry have promised to deliver security patches on a monthly basis for the BlackBerry Priv, and so far they are keeping good on that promise.

The company has today rolled out the April Security upgrade (AAE298) to BlackBerry Priv’s worldwide.

The update comes in at 20.9Mb and updates 52 apps.

It should be noted that whilst this security update includes Google’s April Security update, BlackBerry have not updated the build number, which is still AAE298 from the March supplementary update last month.

Premium IPTV in the UK

The following vulnerabilities have been remediated in this update:
[table style=”table-striped”]

Summary Description CVE
Remote Code Execution Vulnerability in DHCPD A vulnerability in the Dynamic Host Configuration Protocol service could enable an attacker to cause memory corruption, which could lead to remote code execution. CVE-2016-1503
Remote Code Execution Vulnerabilities in Mediaserver During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.

The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.

CVE-2016-0837
CVE-2016-0838
CVE-2016-0841
Elevation of Privilege Vulnerability in Qualcomm RF component A vulnerability in the Qualcomm RF driver could enable a local malicious application to execute arbitrary code within the context of the kernel. CVE-2016-0844
Elevation of Privilege Vulnerability in IMemory Native Interface An elevation of privilege vulnerability in the IMemory Native Interface could enable a local malicious application to execute arbitrary code within the context of an elevated system application. CVE-2016-0846
Elevation of Privilege Vulnerability in Telecom Component An elevation of privilege vulnerability in the Telecom Component could enable an attacker to spoof calls to appear from any arbitrary number. CVE-2016-0847
Elevation of Privilege Vulnerability in Download Manager An elevation of privilege vulnerability in the Download Manager could enable an attacker to gain access to unauthorized files in private storage. CVE-2016-0848
Elevation of Privilege Vulnerability in Recovery Procedure An elevation of privilege vulnerability in the Recovery Procedure could enable a local malicious application to execute arbitrary code within the context of an elevated system application. CVE-2016-0849
Elevation of Privilege Vulnerability in Bluetooth An elevation of privilege vulnerability in Bluetooth could enable an untrusted device to pair with the phone during the initial pairing process. This could lead to unauthorized access of the device resources, such as the Internet Connection. CVE-2016-0850
Elevation of Privilege Vulnerability in a Qualcomm Video Kernel Driver An elevation of privilege vulnerability in a Qualcomm video kernel driver could enable a local malicious application to execute arbitrary code within the context of the kernel. CVE-2016-2410
Elevation of Privilege Vulnerability in Qualcomm Power Management component An elevation of privilege vulnerability in a Qualcomm Power Management kernel driver could enable a local malicious application to execute arbitrary code within the context of the kernel. CVE-2016-2411
Elevation of Privilege Vulnerability in System_server An elevation of privilege vulnerability in System_server could enable a local malicious application to execute arbitrary code within the context of an elevated system application. CVE-2016-2412
Elevation of Privilege Vulnerability in Mediaserver An elevation of privilege vulnerability in mediaserver could enable a local malicious application to execute arbitrary code within the context of an elevated system application. CVE-2016-2413
Denial of Service Vulnerability in Minikin A denial of service vulnerability in the Minikin library could allow a local attacker to temporarily block access to an affected device. An attacker could cause an untrusted font to be loaded and cause an overflow in the Minikin component which leads to a crash. CVE-2016-2414
Information Disclosure Vulnerability in Exchange ActiveSync An information disclosure vulnerability in Exchange ActiveSync could enable a local malicious application to gain access to user’s private information. CVE-2016-2415
Information Disclosure Vulnerabilities in Mediaserver Information disclosure vulnerabilities in mediaserver could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. CVE-2016-2416
CVE-2016-2417
Elevation of Privilege Vulnerability in Setup Wizard A vulnerability in the Setup Wizard could allow a malicious attacker to bypass the Factory Reset Protection and gain access to the device. CVE-2016-2421
Elevation of Privilege Vulnerability in Wi-Fi An elevation of privilege vulnerability in Wi-Fi could enable a local malicious application to execute arbitrary code within the context of an elevated system application. CVE-2016-2422
Elevation of Privilege Vulnerability in Telephony A vulnerability in Telephony could allow a malicious attacker to bypass the Factory Reset Protection and gain access to the device. CVE-2016-2423
Denial of Service Vulnerability in SyncStorageEngine A denial of service vulnerability in the SyncStorageEngine could enable a local malicious application to cause a reboot loop. CVE-2016-2424
Information Disclosure Vulnerability in Framework An information disclosure vulnerability in the Framework component could allow an application to access sensitive information. CVE-2016-2426
Information Disclosure Vulnerability in BouncyCastle An information disclosure vulnerability in BouncyCastle could allow an authentication key to be leaked. CVE-2016-2427
Elevation of Privilege Vulnerability in the Kernel An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code within the context of the kernel.

[/table]
If you own a Priv and are not seeing the system update message, you can check manually by heading into Settings -> About phone -> System updates and checking manually.