Google's 3-level Android patch could cause confusion

Google releases over 50 security fixes, with eight of the patched vulnerabilities rated critical

Google has released another large monthly batch of security patches for Android, this time fixing 55 vulnerabilities, eight of which are rated critical.

The novelty of this release is that the fixes are split into three different "security patch levels" -- date strings that indicate to users how up-to-date their devices are. While this could make it easier for device manufacturers to integrate patches applicable to their devices, it could lead to confusion among regular users.

Since August 2015 Google has released security updates for Android according to a monthly schedule. This was intended to add some predictability to Android patches and indeed, some device makers committed to monthly security updates as well.

Google shares its upcoming patches with vendors in advance and then releases firmware updates for its own Nexus devices -- usually on the first Monday of each month -- along with an accompanying security bulletin. After a couple of days, the patches are also released to the Android Open Source Project (AOSP) and become public.

Every security bulletin used to have its own security patch level. This is expressed as a date string in Android's settings under "About phone" and indicates that the firmware contains all Android security patches up to that date.

However, in July Google introduced two patch levels for the same monthly bulletin: one for Android flaws affecting all devices and one for flaws in drivers for certain hardware components.

The argument was that this allowed device manufacturers to integrate only one set of patches for some devices that didn't have the hardware components affected by the second set of flaws. This month, though, there are three patch level strings: 2016-09-01, 2016-09-05 and 2016-09-06.

The 2016-09-01 security patch level covers fixes for 25 flaws in various components of the Android OS. Two of the flaws, in LibUtils and Mediaserver, are rated critical and can be exploited through specially crafted files to achieve remote code execution.

The 2016-09-05 patch level covers fixes for 28 vulnerabilities in device-specific system drivers from Qualcomm, Synaptics, Broadcom, Nvidia, but also in the kernel security, networking, netfilter and sound subsystems, as well as the kernel ext4 file system, networking driver, ASN.1 decoder and USB driver. Five of these flaws are rated critical and could lead to a permanent compromise that could require reflashing the device.

The 2016-09-06 patch level covers two vulnerabilities, a critical one in the kernel shared memory subsystem and a highly rated one in the Qualcomm networking component. Google's explanation for this third patch level is that the two issues it covers were discovered after its partners were already informed about most of the other flaws.

It's worth noting that the patch levels are complementary. The 2016-09-06 level also includes the fixes in the other two patch levels, while 2016-09-05 includes the fixes in 2016-09-01. However, according to Google, 2016-09-05 may also include "a subset of fixes associated with the September 6, 2016 security patch level."

This only adds to the confusion. For example, after the latest update, if your device shows a security patch level of September 6, 2016 then it has all applicable patches, but if it shows September 5, 2016, it may or may not include the two fixes in the 2016-09-06 patch level.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?