BlackBerry have promised to deliver security patches on a monthly basis for the BlackBerry Priv, and so far they are keeping good on that promise.
The company has today rolled out the August Android Security upgrade to BlackBerry Priv’s that have been purchased from ShopBlackBerry.com.
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes.
The following vulnerabilities have been remediated in this update:
[table style=”table-striped”]
| Summary | Description | CVE | ||
| Remote Code Execution Vulnerabilities in Mediaserver |
Remote code execution vulnerabilities in mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.Remote code execution vulnerabilities in mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. |
CVE-2016-3819 CVE-2016-3820 CVE-2016-3821 |
||
| Remote Code Execution Vulnerability in libjhead | A remote code execution vulnerability in libjhead could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. | CVE-2016-3822 | ||
| Elevation of Privilege Vulnerabilities in Mediaserver | Elevation of privilege vulnerabilities in mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. | CVE-2016-3823 CVE-2016-3824 CVE-2016-3825 CVE-2016-3826 |
||
| Denial of Service Vulnerabilities in Mediaserver | Denial of service vulnerabilities in mediaserver could enable an attacker using a specially crafted file to cause a device hang or reboot. | CVE-2016-3827 CVE-2016-3828 CVE-2016-3829 CVE-2016-3830 |
||
| Denial of Service Vulnerability in System Clock | A denial of service vulnerability in the system clock could enable a remote attacker to crash the device. | CVE-2016-3831 | ||
| Elevation of Privilege Vulnerability in Framework APIs | An elevation of privilege vulnerability in the framework APIs could enable a local malicious application to bypass operating system protections that isolate application data from other applications. | CVE-2016-3832 | ||
| Elevation of Privilege Vulnerability in Shell | An elevation of privilege in the Shell could enable a local malicious application to bypass device constraints such as user restrictions. | CVE-2016-3833 | ||
| Information Disclosure Vulnerability in Camera APIs | An information disclosure vulnerability in the camera APIs could allow a local malicious application to access data outside of its permission levels. | CVE-2016-3834 | ||
| Information Disclosure Vulnerability in Mediaserver | An information disclosure vulnerability in mediaserver could allow a local malicious application to access data outside of its permission levels. | CVE-2016-3835 | ||
| Information Disclosure Vulnerability in SurfaceFlinger | An information disclosure vulnerability in the SurfaceFlinger service could enable a local malicious application to access data outside of its permission levels. | CVE-2016-3836 | ||
| Information Disclosure Vulnerability in Wi-Fi | An information disclosure vulnerability in Wi-Fi could allow a local malicious application to access data outside of its permission levels. | CVE-2016-3837 | ||
| Denial of Service Vulnerability in System UI | A denial of service vulnerability in the system UI could enable a local malicious application to prevent 911 calls from a locked screen. | CVE-2016-3838 | ||
| Denial of Service Vulnerability in Bluetooth | A denial of service vulnerability in Bluetooth could enable a local malicious application to prevent 911 calls from a Bluetooth device. | CVE-2016-3839 | ||
| Remote Code Execution Vulnerability in Conscrypt | A remote code execution vulnerability in Conscrypt could enable a remote attacker to execute arbitrary code within the context of a privileged process. | CVE-2016-3840 | ||
| Elevation of Privilege Vulnerabilities in Kernel Networking Component | Elevation of privilege vulnerabilities in the kernel networking component could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2015-2686 CVE-2016-3841 |
||
| Elevation of Privilege Vulnerabilities in Qualcomm GPU driver | Elevation of privilege vulnerabilities in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-2504 CVE-2016-3842 |
||
| Elevation of Privilege Vulnerabilities in Qualcomm Performance Component | Elevation of privilege vulnerabilities in the Qualcomm performance component could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3843 | ||
| Elevation of Privilege Vulnerability in Kernel | An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3857 | ||
| Elevation of Privilege Vulnerabilities in Kernel Sound Component | Elevation of privilege vulnerabilities in the kernel sound component could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-2544 CVE-2014-9904 |
||
| Elevation of Privilege Vulnerability in ION Driver | An elevation of privilege vulnerability in the ION driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3849 | ||
| Elevation of Privilege Vulnerability in Qualcomm Bootloader | An elevation of privilege vulnerability in the Qualcomm bootloader could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3850 | ||
| Elevation of Privilege Vulnerability in Kernel Performance Subsystem | An elevation of privilege vulnerability in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. | CVE-2016-3843 | ||
| Information Disclosure Vulnerability in Kernel Scheduler | An information disclosure vulnerability in the kernel scheduler could enable a local malicious application to access data outside of its permission levels. | CVE-2014-9903 | ||
| Information Disclosure Vulnerability in USB driver | An information disclosure vulnerability in the USB driver could enable a local malicious application to access data outside of its permission levels. | CVE-2016-4482 | ||
| Elevation of Privilege Vulnerability in Google Play Services | An elevation of privilege vulnerability in Google Play services could allow a local attacker to bypass the Factory Reset Protection and gain access to the device. | CVE-2016-3853 | ||
| Elevation of Privilege Vulnerability in Framework APIs | An elevation of privilege vulnerability in the framework APIs could enable a pre-installed application to increase its intent filter priority when the application is being updated without the user being notified. | CVE-2016-2497 | ||
| Information Disclosure Vulnerability in Kernel Networking Component | An information disclosure vulnerability in the kernel networking component could enable a local malicious application to access data outside of its permission levels. | CVE-2016-4578 | ||
| Information Disclosure Vulnerabilities in Kernel Sound Component | Information disclosure vulnerabilities in the kernel sound component could enable a local malicious application to access data outside of its permission levels. | CVE-2016-4569 CVE-2016-4578 |
||
| Vulnerability in Qualcomm Components | A vulnerability in the thermal driver can result in a local malicious application being able to corrupt memory, possibly resulting in a temporary denial of service. | CVE-2016-3855 |
[/table]
If you own a Priv and are not seeing the system update message, you can check manually by heading into Settings -> About phone -> System updates and checking manually. Look for the following Android security patch level: August 5, 2016.
Updated software builds may also be available from other retailers or carriers, dependent on their deployment schedules.
