Google's 3-level Android patch could cause confusion

Google releases over 50 security fixes, with eight of the patched vulnerabilities rated critical

Google has released another large monthly batch of security patches for Android, this time fixing 55 vulnerabilities, eight of which are rated critical.

The novelty of this release is that the fixes are split into three different "security patch levels" -- date strings that indicate to users how up-to-date their devices are. While this could make it easier for device manufacturers to integrate patches applicable to their devices, it could lead to confusion among regular users.

Since August 2015 Google has released security updates for Android according to a monthly schedule. This was intended to add some predictability to Android patches and indeed, some device makers committed to monthly security updates as well.

Google shares its upcoming patches with vendors in advance and then releases firmware updates for its own Nexus devices -- usually on the first Monday of each month -- along with an accompanying security bulletin. After a couple of days, the patches are also released to the Android Open Source Project (AOSP) and become public.

Every security bulletin used to have its own security patch level. This is expressed as a date string in Android's settings under "About phone" and indicates that the firmware contains all Android security patches up to that date.

However, in July Google introduced two patch levels for the same monthly bulletin: one for Android flaws affecting all devices and one for flaws in drivers for certain hardware components.

The argument was that this allowed device manufacturers to integrate only one set of patches for some devices that didn't have the hardware components affected by the second set of flaws. This month, though, there are three patch level strings: 2016-09-01, 2016-09-05 and 2016-09-06.

The 2016-09-01 security patch level covers fixes for 25 flaws in various components of the Android OS. Two of the flaws, in LibUtils and Mediaserver, are rated critical and can be exploited through specially crafted files to achieve remote code execution.

The 2016-09-05 patch level covers fixes for 28 vulnerabilities in device-specific system drivers from Qualcomm, Synaptics, Broadcom, Nvidia, but also in the kernel security, networking, netfilter and sound subsystems, as well as the kernel ext4 file system, networking driver, ASN.1 decoder and USB driver. Five of these flaws are rated critical and could lead to a permanent compromise that could require reflashing the device.

The 2016-09-06 patch level covers two vulnerabilities, a critical one in the kernel shared memory subsystem and a highly rated one in the Qualcomm networking component. Google's explanation for this third patch level is that the two issues it covers were discovered after its partners were already informed about most of the other flaws.

It's worth noting that the patch levels are complementary. The 2016-09-06 level also includes the fixes in the other two patch levels, while 2016-09-05 includes the fixes in 2016-09-01. However, according to Google, 2016-09-05 may also include "a subset of fixes associated with the September 6, 2016 security patch level."

This only adds to the confusion. For example, after the latest update, if your device shows a security patch level of September 6, 2016 then it has all applicable patches, but if it shows September 5, 2016, it may or may not include the two fixes in the 2016-09-06 patch level.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?