BlackBerry have promised to deliver security patches on a monthly basis for their Android smartphones and so far they are keeping good on that promise.
The company has today rolled out the March 2017 Android Security update to Android devices that have been purchased from ShopBlackBerry.com.
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes.
The following vulnerabilities have been remediated in this update:
| Summary | Description | CVE | ||
| Remote Code Execution Vulnerability in OpenSSL & BoringSSL | A remote code execution vulnerability in OpenSSL and BoringSSL could enable an attacker using a specially crafted file to cause memory corruption during file and data processing. | CVE-2016-2182 | ||
| Remote Code Execution Vulnerabilities in Mediaserver | Remote code execution vulnerabilities in mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. | CVE-2017-0466 CVE-2017-0467 CVE-2017-0468 CVE-2017-0469 CVE-2017-0470 CVE-2017-0471 CVE-2017-0472 CVE-2017-0473 |
||
| Elevation of Privilege Vulnerability in Recovery Verifier | An elevation of privilege vulnerability in the recovery verifier could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2017-0475 | ||
| Remote Code Execution Vulnerability in AOSP Messaging | A remote code execution vulnerability in AOSP Messaging could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. | CVE-2017-0476 | ||
| Remote Code Execution Vulnerability in Framesequence Library | A remote code execution vulnerability in the framesequence library could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. | CVE-2017-0478 | ||
| Elevation of Privilege Vulnerabilities in Audioserver | Elevation of privilege vulnerabilities in audioserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. | CVE-2017-0479 CVE-2017-0480 |
||
| Elevation of Privilege Vulnerability in NFC | An elevation of privilege vulnerability in NFC could enable a proximate attacker to execute arbitrary code within the context of a privileged process. | CVE-2017-0481 | ||
| Denial of Service Vulnerabilities in Mediaserver | Denial of service vulnerabilities in mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. | CVE-2017-0482 CVE-2017-0483 CVE-2017-0484 CVE-2017-0485 CVE-2017-0486 CVE-2017-0487 CVE-2017-0488 |
||
| Elevation of Privilege Vulnerability in Location Manager | An elevation of privilege vulnerability in location manager could enable a local malicious application to bypass operating system protections for location data. | CVE-2017-0489 | ||
| Elevation of Privilege Vulnerability in Wi-Fi | An elevation of privilege vulnerability in Wi-Fi could enable a local malicious application to delete user data. | CVE-2017-0490 | ||
| Elevation of Privilege Vulnerability in Package Manager | An elevation of privilege vulnerability in package manager could enable a local malicious application to prevent users from uninstalling applications or removing permissions from applications. | CVE-2017-0491 | ||
| Information Disclosure Vulnerability in AOSP Messaging | An information disclosure vulnerability in AOSP Messaging could enable a remote attacker using a special crafted file to access data outside of its permission levels. | CVE-2017-0494 | ||
| Information Disclosure Vulnerability in Mediaserver | An information disclosure vulnerability in mediaserver could enable a local malicious application to access data outside of its permission levels. | CVE-2017-0495 | ||
| Denial of Service Vulnerability in Setup Wizard | A denial of service vulnerability in Setup Wizard could allow a local malicious application to temporarily block access to an affected device. | CVE-2017-0496 | ||
| Denial of Service Vulnerability in Setup Wizard | A denial of service vulnerability in Setup Wizard could allow a local attacker to require Google account sign-in after a factory reset. | CVE-2017-0498 | ||
| Denial of Service Vulnerability in Audioserver | A denial of service vulnerability in audioserver could enable a local malicious application to cause a device hang or reboot. | CVE-2017-0499 | ||
| Elevation of Privilege Vulnerabilities in Kernel ION Subsystem | Elevation of privilege vulnerabilities in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2017-0507 CVE-2017-0508 |
||
| Elevation of Privilege Vulnerability in Broadcom Wi-Fi Driver | An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2017-0509 | ||
| Elevation of Privilege Vulnerability in Qualcomm GPU Driver | An elevation of privilege vulnerability in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-8479 | ||
| Elevation of Privilege Vulnerabilities in Kernel Networking Subsystem | Elevation of privilege vulnerabilities in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-9806 CVE-2016-10200 |
||
| Vulnerability in Qualcomm Components | A vulnerability in a Qualcomm component leading to elevation of privilege and information disclosure. | CVE-2016-8484 | ||
| Elevation of Privilege Vulnerabilities in Kernel Networking Subsystem | Elevation of privilege vulnerabilities in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-8655 CVE-2016-9793 |
||
| Elevation of Privilege Vulnerability in Qualcomm Input Hardware Driver | An elevation of privilege vulnerability in the Qualcomm input hardware driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2017-0516 | ||
| Elevation of Privilege Vulnerability in Qualcomm ADSPRPC Driver | An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2017-0457 | ||
| Elevation of Privilege Vulnerabilities in Qualcomm Fingerprint Sensor Driver | Elevation of privilege vulnerabilities in the Qualcomm fingerprint sensor driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2017-0518 CVE-2017-0519 |
||
| Elevation of Privilege Vulnerability in Qualcomm Crypto Engine Driver | An elevation of privilege vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2017-0520 | ||
| Elevation of Privilege Vulnerabilities in Qualcomm Camera Driver | Elevation of privilege vulnerabilities in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2017-0458 CVE-2017-0521 |
||
| Elevation of Privilege Vulnerabilities in Qualcomm Wi-Fi Driver | Elevation of privilege vulnerabilities in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2017-0464 CVE-2017-0453 CVE-2017-0523 |
||
| Elevation of Privilege Vulnerability in Synaptics Touchscreen Driver | An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2017-0524 | ||
| Elevation of Privilege Vulnerabilities in Qualcomm IPA Driver | Elevation of privilege vulnerabilities in the Qualcomm IPA driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2017-0456 CVE-2017-0525 |
||
| Elevation of Privilege Vulnerabilities in Qualcomm Networking Driver | Elevation of privilege vulnerabilities in the Qualcomm networking driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2017-0463 CVE-2017-0460 |
||
| Elevation of Privilege Vulnerability in Qualcomm SPCom Driver | An elevation of privilege vulnerability in the Qualcomm SPCom driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-5856 | ||
| Information Disclosure Vulnerability in Qualcomm Bootloader | An information disclosure vulnerability in the Qualcomm bootloader could help to enable a local malicious application to execute arbitrary code within the context of the bootloader. | CVE-2017-0455 | ||
| Information Disclosure Vulnerability in Qualcomm Power Driver | An information disclosure vulnerability in the Qualcomm power driver could enable a local malicious application to access data outside of its permission levels. | CVE-2016-8483 | ||
| Denial of Service Vulnerability in Kernel Cryptographic Subsystem | A denial of service vulnerability in the kernel cryptographic subsystem could enable a remote attacker to use a specially crafted network packet to cause a device hang or reboot. | CVE-2016-8650 | ||
| Elevation of Privilege Vulnerability in Qualcomm Camera Driver | An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-8417 | ||
| Information Disclosure Vulnerabilities in Qualcomm Wi-Fi Driver | Information disclosure vulnerabilities in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. | CVE-2017-0461 CVE-2017-0459 CVE-2017-0531 |
||
| Information Disclosure Vulnerabilities in Qualcomm Video Driver | Information disclosure vulnerabilities in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. | CVE-2017-0533 CVE-2017-0534 CVE-2016-8416 CVE-2016-8478 |
||
| Information Disclosure Vulnerabilities in Qualcomm Camera Driver | Information disclosure vulnerabilities in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. | CVE-2016-8413 CVE-2016-8477 |
||
| Information Disclosure Vulnerability in Synaptics Touchscreen Driver | An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels. | CVE-2017-0536 | ||
| Information Disclosure Vulnerability in Kernel USB Gadget Driver | An information disclosure vulnerability in the kernel USB gadget driver could enable a local malicious application to access data outside of its permission levels. | CVE-2017-0537 | ||
| Information Disclosure Vulnerability in Qualcomm Camera Driver | An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. | CVE-2017-0452 |
If you own an Android device from BlackBerry and are not seeing the system update message, you can check manually by heading into Settings -> About phone -> System updates and checking manually. Look for the following Android security patch level: March 5, 2017.
Updated software builds may also be available from other retailers or carriers, dependent on their deployment schedules.
