Google's 3-level Android patch could cause confusion

Google releases over 50 security fixes, with eight of the patched vulnerabilities rated critical

Google has released another large monthly batch of security patches for Android, this time fixing 55 vulnerabilities, eight of which are rated critical.

The novelty of this release is that the fixes are split into three different "security patch levels" -- date strings that indicate to users how up-to-date their devices are. While this could make it easier for device manufacturers to integrate patches applicable to their devices, it could lead to confusion among regular users.

Since August 2015 Google has released security updates for Android according to a monthly schedule. This was intended to add some predictability to Android patches and indeed, some device makers committed to monthly security updates as well.

Google shares its upcoming patches with vendors in advance and then releases firmware updates for its own Nexus devices -- usually on the first Monday of each month -- along with an accompanying security bulletin. After a couple of days, the patches are also released to the Android Open Source Project (AOSP) and become public.

Every security bulletin used to have its own security patch level. This is expressed as a date string in Android's settings under "About phone" and indicates that the firmware contains all Android security patches up to that date.

However, in July Google introduced two patch levels for the same monthly bulletin: one for Android flaws affecting all devices and one for flaws in drivers for certain hardware components.

The argument was that this allowed device manufacturers to integrate only one set of patches for some devices that didn't have the hardware components affected by the second set of flaws. This month, though, there are three patch level strings: 2016-09-01, 2016-09-05 and 2016-09-06.

The 2016-09-01 security patch level covers fixes for 25 flaws in various components of the Android OS. Two of the flaws, in LibUtils and Mediaserver, are rated critical and can be exploited through specially crafted files to achieve remote code execution.

The 2016-09-05 patch level covers fixes for 28 vulnerabilities in device-specific system drivers from Qualcomm, Synaptics, Broadcom, Nvidia, but also in the kernel security, networking, netfilter and sound subsystems, as well as the kernel ext4 file system, networking driver, ASN.1 decoder and USB driver. Five of these flaws are rated critical and could lead to a permanent compromise that could require reflashing the device.

The 2016-09-06 patch level covers two vulnerabilities, a critical one in the kernel shared memory subsystem and a highly rated one in the Qualcomm networking component. Google's explanation for this third patch level is that the two issues it covers were discovered after its partners were already informed about most of the other flaws.

It's worth noting that the patch levels are complementary. The 2016-09-06 level also includes the fixes in the other two patch levels, while 2016-09-05 includes the fixes in 2016-09-01. However, according to Google, 2016-09-05 may also include "a subset of fixes associated with the September 6, 2016 security patch level."

This only adds to the confusion. For example, after the latest update, if your device shows a security patch level of September 6, 2016 then it has all applicable patches, but if it shows September 5, 2016, it may or may not include the two fixes in the 2016-09-06 patch level.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?