BlackBerry have promised to deliver security patches on a monthly basis for their Android smartphones and so far they are keeping good on that promise.
The company has today rolled out the November 2016 Android Security update to Android devices that have been purchased from ShopBlackBerry.com.
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes.
The following vulnerabilities have been remediated in this update:
[table style=”table-striped”]
| Summary | Description | CVE | ||
| Elevation of Privilege in Kernel Subsystem | An elevation of privilege vulnerability in the kernel memory management subsystem could enable a local malicious application to execute arbitrary code within the context of a privileged process. | CVE-2016-5195 | ||
| Remote Code Execution Vulnerability in Android Runtime | A remote code execution vulnerability in an Android runtime library could enable an attacker using a specially crafted payload to execute arbitrary code in the context of an unprivileged process. | CVE-2016-6703 | ||
| Elevation of Privilege Vulnerabilities in Mediaserver | Elevation of privilege vulnerabilities in mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. | CVE-2016-6704 CVE-2016-6705 |
||
| Elevation of Privilege Vulnerability in System Server | An elevation of privilege vulnerability in system server could enable a local malicious application to execute arbitrary code within the context of a privileged process. | CVE-2016-6707 | ||
| Information Disclosure Vulnerability in Conscrypt and BoringSSL | An information disclosure vulnerability in Conscrypt and BoringSSL could enable a man-in-the middle attacker to gain access to sensitive information if a non-standard cipher suite is used by an application. | CVE-2016-6709 | ||
| Information Disclosure Vulnerability in Download Manager | An information disclosure vulnerability in the download manager could enable a local malicious application to bypass operating system protections that isolate application data from other applications. | CVE-2016-6710 | ||
| Denial of Service Vulnerabilities in Mediaserver | Remote denial of service vulnerabilities in mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. | CVE-2016-6711 CVE-2016-6712 CVE-2016-6713 CVE-2016-6714 |
||
| Elevation of Privilege Vulnerability in Framework APIs | An elevation of privilege vulnerability in the Framework APIs could allow a local malicious application to record audio without the user’s permission. | CVE-2016-6715 | ||
| Elevation of Privilege Vulnerability in Mediaserver | An elevation of privilege vulnerability in mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. | CVE-2016-6717 | ||
| Elevation of Privilege Vulnerability in Bluetooth | An elevation of privilege vulnerability in the Bluetooth component could enable a local malicious application to pair with any Bluetooth device without user consent. | CVE-2016-6719 | ||
| Information Disclosure Vulnerabilities in Mediaserver | Information disclosure vulnerabilities in mediaserver could enable a local malicious application to access data outside of its permission levels. | CVE-2016-6720 CVE-2016-6721 CVE-2016-6722 |
||
| Denial of Service Vulnerability in Proxy Auto Config | A denial of service vulnerability in Proxy Auto Config could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. | CVE-2016-6723 | ||
| Denial of Service Vulnerability in Input Manager Service | A denial of service vulnerability in the Input Manager Service could enable a local malicious application to cause the device to continually reboot. | CVE-2016-6724 | ||
| Remote Code Execution Vulnerability in Qualcomm GPS Subsystem | A remote code execution vulnerability in the Qualcomm GPS subsystem could enable a remote attacker to execute arbitrary code within the context of the kernel. | CVE-2016-6727 | ||
| Remote Code Execution Vulnerability in Qualcomm Crypto Driver | A remote code execution vulnerability in the Qualcomm crypto driver could enable a remote attacker to execute arbitrary code within the context of the kernel. | CVE-2016-6725 | ||
| Elevation of Privilege Vulnerability in Kernel ION Subsystem | An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-6728 | ||
| Elevation of Privilege Vulnerability in Qualcomm Bootloader | An elevation of privilege vulnerability in the Qualcomm bootloader could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-6729 | ||
| Elevation of Privilege Vulnerability in Kernel Networking Subsystem | An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-6828 | ||
| Elevation of Privilege Vulnerability in Kernel Sound Subsystem | An elevation of privilege vulnerability in the kernel sound subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-2184 | ||
| Elevation of Privilege Vulnerabilities in Kernel File System | Elevation of privilege vulnerabilities in the kernel file system could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-7910 CVE-2016-7911 CVE-2015-8961 |
||
| Elevation of Privilege Vulnerability in Kernel SCSI Driver | An elevation of privilege vulnerability in the kernel SCSI driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2015-8962 | ||
| Elevation of Privilege Vulnerability in Kernel USB Driver | An elevation of privilege vulnerability in the kernel USB driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-7912 | ||
| Elevation of Privilege Vulnerability in Kernel ION Subsystem | An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-6737 | ||
| Remote Code Execution Vulnerabilities in Expat | Multiple vulnerabilities exist in the Expat library, the most severe of which is an elevation of privilege vulnerability in the Expat XML parser, which could enable an attacker using a specially crafted file to execute arbitrary code in an unprivileged process. | CVE-2016-0718 CVE-2012-6702 CVE-2016-5300 CVE-2015-1283 |
||
| Remote Code Execution Vulnerability in Freetype | A remote code execution vulnerability in Freetype could enable a local malicious application to load a specially crafted font to cause memory corruption in an unprivileged process. | CVE-2014-9675 | ||
| Elevation of Privilege Vulnerability in Kernel System-call Auditing Subsystem | An elevation of privilege vulnerability in the kernel system-call auditing subsystem could enable a local malicious application to disrupt system-call auditing in the kernel. | CVE-2016-6136 | ||
| Elevation of Privilege Vulnerability in Qualcomm Crypto Engine Driver | An elevation of privilege vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-6738 | ||
| Elevation of Privilege Vulnerabilities in Qualcomm Camera Driver | Elevation of privilege vulnerabilities in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-6739 CVE-2016-6740 CVE-2016-6741 |
||
| Elevation of Privilege Vulnerability in Qualcomm Bus Driver | An elevation of privilege vulnerability in the Qualcomm bus driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3904 | ||
| Elevation of Privilege Vulnerabilities in Synaptics Touchscreen Driver | Elevation of privilege vulnerabilities in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-6742 CVE-2016-6743 CVE-2016-6744 CVE-2016-6745 |
||
| Elevation of Privilege Vulnerability in Kernel Performance Subsystem | An elevation of privilege vulnerability in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2015-8963 | ||
| Information Disclosure Vulnerabilities in Kernel Components | Information disclosure vulnerabilities in kernel components including the human interface device driver, file system, and Teletype driver, could enable a local malicious application to access data outside of its permission levels. | CVE-2016-7914 CVE-2015-8964 CVE-2016-7915 CVE-2016-7916 |
||
| Information Disclosure Vulnerabilities in Qualcomm Components | Information disclosure vulnerabilities in Qualcomm components including the GPU driver, power driver, SMSM Point-to-Point driver, and sound driver could enable a local malicious application to access data outside of its permission levels. | CVE-2016-6748 CVE-2016-6749 CVE-2016-6750 CVE-2016-3906 CVE-2016-3907 CVE-2016-6698 CVE-2016-6751 CVE-2016-6752 |
||
| Information Disclosure Vulnerabilities in Kernel Components | Information disclosure vulnerabilities in kernel components, including the process-grouping subsystem and the networking subsystem, could enable a local malicious application to access data outside of its permission levels. | CVE-2016-6753 CVE-2016-7917 |
[/table]
If you own an Android device from BlackBerry and are not seeing the system update message, you can check manually by heading into Settings -> About phone -> System updates and checking manually. Look for the following Android security patch level: November 6, 2016.
Updated software builds may also be available from other retailers or carriers, dependent on their deployment schedules.
