BlackBerry have promised to deliver security patches on a monthly basis for their Android smartphones and so far they are keeping good on that promise.
The company has today rolled out the September 2016 Android Security update to devices that have been purchased from ShopBlackBerry.com.
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes.
The following vulnerabilities have been remediated in this update:
[table style=”table-striped”]
| Summary | Description | CVE | ||
| Remote Code Execution Vulnerability  in LibUtils | A remote code execution vulnerability in LibUtils could enable an attacker using a specially crafted file to execute arbitrary code in the context of a privileged process. | CVE-2016-3861 | ||
| Remote Code Execution Vulnerability  in Mediaserver | A remote code execution vulnerability in mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. | CVE-2016-3862 | ||
| Remote Code Execution Vulnerability  in MediaMuxer | A remote code execution vulnerability in MediaMuxer could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. | CVE-2016-3863 | ||
| Elevation of Privilege Vulnerabilities in Mediaserver | Elevation of privilege vulnerabilities in mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. | CVE-2016-3870 CVE-2016-3871 CVE-2016-3872 |
||
| Elevation of Privilege Vulnerability in Device Boot | An elevation of privilege during the boot sequence could enable a local malicious attacker to boot into safe mode even though it’s disabled. | CVE-2016-3875 | ||
| Denial of Service Vulnerabilities in Mediaserver | Denial of service vulnerabilities in mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. | CVE-2016-3899 CVE-2016-3878 CVE-2016-3879 CVE-2016-3880 CVE-2016-3881 |
||
| Elevation of Privilege Vulnerability in Telephony | An elevation of privilege vulnerability in the Telephony component could enable a local malicious application to send unauthorized premium SMS messages. | CVE-2016-3883 | ||
| Elevation of Privilege Vulnerability in Notification Manager Service | An elevation of privilege vulnerability in the Notification Manager Service could enable a local malicious application to bypass operating system protections that isolate application data from other applications. | CVE-2016-3884 | ||
| Elevation of Privilege Vulnerability in Debuggerd | An elevation of privilege vulnerability in the integrated Android debugger could enable a local malicious application to execute arbitrary code within the context of the Android debugger. | CVE-2016-3885 | ||
| Elevation of Privilege Vulnerability in SMS | An elevation of privilege vulnerability in SMS could enable a local attacker to send premium SMS messages prior to the device being provisioned. | CVE-2016-3888 | ||
| Elevation of Privilege Vulnerability in Settings | An elevation of privilege vulnerability in Settings could enable a local attacker to bypass the Factory Reset Protection and gain access to the device. | CVE-2016-3889 | ||
| Elevation of Privilege Vulnerability in Java Debug Wire Protocol | An elevation of privilege vulnerability in the Java Debug Wire Protocol could enable a local malicious application to execute arbitrary code within the context of an elevated system application. | CVE-2016-3890 | ||
| Information Disclosure Vulnerability in Mediaserver | An information disclosure vulnerability in mediaserver could enable a local malicious application to access data outside of its permission levels. | CVE-2016-3895 | ||
| Information Disclosure Vulnerability in Wi-Fi | An information disclosure vulnerability in the Wi-Fi configuration could allow an application to access sensitive information. | CVE-2016-3897 | ||
| Denial of Service Vulnerability in Telephony | A denial of service vulnerability in the Telephony component could enable a local malicious application to prevent 911 TTY calls from a locked screen. | CVE-2016-3898 | ||
| Elevation of Privilege Vulnerability in Kernel Security Subsystem | An elevation of privilege vulnerability in the kernel security subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-4470 | ||
| Elevation of Privilege Vulnerability in Kernel Networking Subsystem | An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2013-7446 | ||
| Elevation of Privilege Vulnerability in Kernel Netfilter Subsystem | An elevation of privilege vulnerability in the kernel netfilter subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3134 | ||
| Elevation of Privilege Vulnerability in Kernel USB Driver | An elevation of privilege vulnerability in the kernel USB driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3951 | ||
| Elevation of Privilege Vulnerability in Kernel ASN.1 Decoder | An elevation of privilege vulnerability in the kernel ASN.1 decoder could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-2053 | ||
| Elevation of Privilege Vulnerability in Qualcomm Radio Interface layer | An elevation of privilege vulnerability in the Qualcomm radio interface layer could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3864 | ||
| Elevation of Privilege Vulnerability in Qualcomm Subsystem Driver | An elevation of privilege vulnerability in the Qualcomm subsystem driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3858 | ||
| Elevation of Privilege Vulnerability in Kernel Networking Driver | An elevation of privilege vulnerability in the kernel networking driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-4805 | ||
| Elevation of Privilege Vulnerability in Synaptics Touchscreen Driver | An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3865 | ||
| Elevation of Privilege Vulnerability in Qualcomm Camera Driver | An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3859 | ||
| Elevation of Privilege Vulnerability in Qualcomm Sound Driver | An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3866 | ||
| Elevation of Privilege Vulnerability in Qualcomm IPA Driver | An elevation of privilege vulnerability in the Qualcomm IPA driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3867 | ||
| Elevation of Privilege Vulnerability in Qualcomm Power Driver | An elevation of privilege vulnerability in the Qualcomm power driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3868 | ||
| Elevation of Privilege Vulnerability in Broadcom Wi-Fi Driver | An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3869 | ||
| Elevation of Privilege Vulnerability in Kernel eCryptfs Filesystem | An elevation of privilege vulnerability in the kernel eCryptfs filesystem could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-1583 | ||
| Denial of Service Vulnerability in Kernel ext4 file System | A denial of service vulnerability in the kernel ext4 file system could enable an attacker to cause a local permanent denial of service, which may require reflashing the operating system to repair the device. | CVE-2015-8839 | ||
| Information Disclosure Vulnerability in Qualcomm SPMI Driver | An information disclosure vulnerability in the Qualcomm SPMI driver could enable a local malicious application to access data outside of its permission levels. | CVE-2016-3892 | ||
| Information Disclosure Vulnerability in Kernel Networking Subsystem | An information disclosure vulnerability in the kernel networking subsystem could enable a local malicious application to access data outside of its permission levels. | CVE-2016-4998 | ||
| Elevation of Privilege Vulnerability in Qualcomm Components | An elevation of privilege vulnerability in the Qualcomm sound driver could enable a malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-2469 |
[/table]
If you own a Android device from BlackBerry and are not seeing the system update message, you can check manually by heading into Settings -> About phone -> System updates and checking manually. Look for the following Android security patch level: September, 2016. Updated software builds may also be available from other retailers or carriers, dependent on their deployment schedules.
