Google's 3-level Android patch could cause confusion

Google releases over 50 security fixes, with eight of the patched vulnerabilities rated critical

Google has released another large monthly batch of security patches for Android, this time fixing 55 vulnerabilities, eight of which are rated critical.

The novelty of this release is that the fixes are split into three different "security patch levels" -- date strings that indicate to users how up-to-date their devices are. While this could make it easier for device manufacturers to integrate patches applicable to their devices, it could lead to confusion among regular users.

Since August 2015 Google has released security updates for Android according to a monthly schedule. This was intended to add some predictability to Android patches and indeed, some device makers committed to monthly security updates as well.

Google shares its upcoming patches with vendors in advance and then releases firmware updates for its own Nexus devices -- usually on the first Monday of each month -- along with an accompanying security bulletin. After a couple of days, the patches are also released to the Android Open Source Project (AOSP) and become public.

Every security bulletin used to have its own security patch level. This is expressed as a date string in Android's settings under "About phone" and indicates that the firmware contains all Android security patches up to that date.

However, in July Google introduced two patch levels for the same monthly bulletin: one for Android flaws affecting all devices and one for flaws in drivers for certain hardware components.

The argument was that this allowed device manufacturers to integrate only one set of patches for some devices that didn't have the hardware components affected by the second set of flaws. This month, though, there are three patch level strings: 2016-09-01, 2016-09-05 and 2016-09-06.

The 2016-09-01 security patch level covers fixes for 25 flaws in various components of the Android OS. Two of the flaws, in LibUtils and Mediaserver, are rated critical and can be exploited through specially crafted files to achieve remote code execution.

The 2016-09-05 patch level covers fixes for 28 vulnerabilities in device-specific system drivers from Qualcomm, Synaptics, Broadcom, Nvidia, but also in the kernel security, networking, netfilter and sound subsystems, as well as the kernel ext4 file system, networking driver, ASN.1 decoder and USB driver. Five of these flaws are rated critical and could lead to a permanent compromise that could require reflashing the device.

The 2016-09-06 patch level covers two vulnerabilities, a critical one in the kernel shared memory subsystem and a highly rated one in the Qualcomm networking component. Google's explanation for this third patch level is that the two issues it covers were discovered after its partners were already informed about most of the other flaws.

It's worth noting that the patch levels are complementary. The 2016-09-06 level also includes the fixes in the other two patch levels, while 2016-09-05 includes the fixes in 2016-09-01. However, according to Google, 2016-09-05 may also include "a subset of fixes associated with the September 6, 2016 security patch level."

This only adds to the confusion. For example, after the latest update, if your device shows a security patch level of September 6, 2016 then it has all applicable patches, but if it shows September 5, 2016, it may or may not include the two fixes in the 2016-09-06 patch level.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?