BlackBerry have promised to deliver security patches on a monthly basis for the BlackBerry Priv, and so far they are keeping good on that promise.
The company has today rolled out the April Security upgrade (AAE298) to BlackBerry Priv’s worldwide.
The update comes in at 20.9Mb and updates 52 apps.
It should be noted that whilst this security update includes Google’s April Security update, BlackBerry have not updated the build number, which is still AAE298 from the March supplementary update last month.
The following vulnerabilities have been remediated in this update:
[table style=”table-striped”]
Summary | Description | CVE | ||
Remote Code Execution Vulnerability in DHCPD | A vulnerability in the Dynamic Host Configuration Protocol service could enable an attacker to cause memory corruption, which could lead to remote code execution. | CVE-2016-1503 | ||
Remote Code Execution Vulnerabilities in Mediaserver | During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.
The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. |
CVE-2016-0837 CVE-2016-0838 CVE-2016-0841 |
||
Elevation of Privilege Vulnerability in Qualcomm RF component | A vulnerability in the Qualcomm RF driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-0844 | ||
Elevation of Privilege Vulnerability in IMemory Native Interface | An elevation of privilege vulnerability in the IMemory Native Interface could enable a local malicious application to execute arbitrary code within the context of an elevated system application. | CVE-2016-0846 | ||
Elevation of Privilege Vulnerability in Telecom Component | An elevation of privilege vulnerability in the Telecom Component could enable an attacker to spoof calls to appear from any arbitrary number. | CVE-2016-0847 | ||
Elevation of Privilege Vulnerability in Download Manager | An elevation of privilege vulnerability in the Download Manager could enable an attacker to gain access to unauthorized files in private storage. | CVE-2016-0848 | ||
Elevation of Privilege Vulnerability in Recovery Procedure | An elevation of privilege vulnerability in the Recovery Procedure could enable a local malicious application to execute arbitrary code within the context of an elevated system application. | CVE-2016-0849 | ||
Elevation of Privilege Vulnerability in Bluetooth | An elevation of privilege vulnerability in Bluetooth could enable an untrusted device to pair with the phone during the initial pairing process. This could lead to unauthorized access of the device resources, such as the Internet Connection. | CVE-2016-0850 | ||
Elevation of Privilege Vulnerability in a Qualcomm Video Kernel Driver | An elevation of privilege vulnerability in a Qualcomm video kernel driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-2410 | ||
Elevation of Privilege Vulnerability in Qualcomm Power Management component | An elevation of privilege vulnerability in a Qualcomm Power Management kernel driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-2411 | ||
Elevation of Privilege Vulnerability in System_server | An elevation of privilege vulnerability in System_server could enable a local malicious application to execute arbitrary code within the context of an elevated system application. | CVE-2016-2412 | ||
Elevation of Privilege Vulnerability in Mediaserver | An elevation of privilege vulnerability in mediaserver could enable a local malicious application to execute arbitrary code within the context of an elevated system application. | CVE-2016-2413 | ||
Denial of Service Vulnerability in Minikin | A denial of service vulnerability in the Minikin library could allow a local attacker to temporarily block access to an affected device. An attacker could cause an untrusted font to be loaded and cause an overflow in the Minikin component which leads to a crash. | CVE-2016-2414 | ||
Information Disclosure Vulnerability in Exchange ActiveSync | An information disclosure vulnerability in Exchange ActiveSync could enable a local malicious application to gain access to user’s private information. | CVE-2016-2415 | ||
Information Disclosure Vulnerabilities in Mediaserver | Information disclosure vulnerabilities in mediaserver could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. | CVE-2016-2416 CVE-2016-2417 |
||
Elevation of Privilege Vulnerability in Setup Wizard | A vulnerability in the Setup Wizard could allow a malicious attacker to bypass the Factory Reset Protection and gain access to the device. | CVE-2016-2421 | ||
Elevation of Privilege Vulnerability in Wi-Fi | An elevation of privilege vulnerability in Wi-Fi could enable a local malicious application to execute arbitrary code within the context of an elevated system application. | CVE-2016-2422 | ||
Elevation of Privilege Vulnerability in Telephony | A vulnerability in Telephony could allow a malicious attacker to bypass the Factory Reset Protection and gain access to the device. | CVE-2016-2423 | ||
Denial of Service Vulnerability in SyncStorageEngine | A denial of service vulnerability in the SyncStorageEngine could enable a local malicious application to cause a reboot loop. | CVE-2016-2424 | ||
Information Disclosure Vulnerability in Framework | An information disclosure vulnerability in the Framework component could allow an application to access sensitive information. | CVE-2016-2426 | ||
Information Disclosure Vulnerability in BouncyCastle | An information disclosure vulnerability in BouncyCastle could allow an authentication key to be leaked. | CVE-2016-2427 | ||
Elevation of Privilege Vulnerability in the Kernel | An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code within the context of the kernel. |
[/table]
If you own a Priv and are not seeing the system update message, you can check manually by heading into Settings -> About phone -> System updates and checking manually.