Google's 3-level Android patch could cause confusion

Google releases over 50 security fixes, with eight of the patched vulnerabilities rated critical

Google has released another large monthly batch of security patches for Android, this time fixing 55 vulnerabilities, eight of which are rated critical.

The novelty of this release is that the fixes are split into three different "security patch levels" -- date strings that indicate to users how up-to-date their devices are. While this could make it easier for device manufacturers to integrate patches applicable to their devices, it could lead to confusion among regular users.

Since August 2015 Google has released security updates for Android according to a monthly schedule. This was intended to add some predictability to Android patches and indeed, some device makers committed to monthly security updates as well.

Google shares its upcoming patches with vendors in advance and then releases firmware updates for its own Nexus devices -- usually on the first Monday of each month -- along with an accompanying security bulletin. After a couple of days, the patches are also released to the Android Open Source Project (AOSP) and become public.

Every security bulletin used to have its own security patch level. This is expressed as a date string in Android's settings under "About phone" and indicates that the firmware contains all Android security patches up to that date.

However, in July Google introduced two patch levels for the same monthly bulletin: one for Android flaws affecting all devices and one for flaws in drivers for certain hardware components.

The argument was that this allowed device manufacturers to integrate only one set of patches for some devices that didn't have the hardware components affected by the second set of flaws. This month, though, there are three patch level strings: 2016-09-01, 2016-09-05 and 2016-09-06.

The 2016-09-01 security patch level covers fixes for 25 flaws in various components of the Android OS. Two of the flaws, in LibUtils and Mediaserver, are rated critical and can be exploited through specially crafted files to achieve remote code execution.

The 2016-09-05 patch level covers fixes for 28 vulnerabilities in device-specific system drivers from Qualcomm, Synaptics, Broadcom, Nvidia, but also in the kernel security, networking, netfilter and sound subsystems, as well as the kernel ext4 file system, networking driver, ASN.1 decoder and USB driver. Five of these flaws are rated critical and could lead to a permanent compromise that could require reflashing the device.

The 2016-09-06 patch level covers two vulnerabilities, a critical one in the kernel shared memory subsystem and a highly rated one in the Qualcomm networking component. Google's explanation for this third patch level is that the two issues it covers were discovered after its partners were already informed about most of the other flaws.

It's worth noting that the patch levels are complementary. The 2016-09-06 level also includes the fixes in the other two patch levels, while 2016-09-05 includes the fixes in 2016-09-01. However, according to Google, 2016-09-05 may also include "a subset of fixes associated with the September 6, 2016 security patch level."

This only adds to the confusion. For example, after the latest update, if your device shows a security patch level of September 6, 2016 then it has all applicable patches, but if it shows September 5, 2016, it may or may not include the two fixes in the 2016-09-06 patch level.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?