Google has released a huge set of patches in its monthly security update for Android, and the September fixes include three separate patch levels, rather than the two the company has been putting out in recent months.
The most significant fix in the September release is for the QuadRooter vulnerability in some Qualcomm components in Android devices. Some of the vulnerable portions of the Android code had been patched in August, but this month’s security update completes the fix. The two remaining flaws in the QuadRooter family that Google patched Tuesday are privilege escalation bug in the kernel and a another in the Qualcomm networking component. The more serious of the two is CVE-2016-5340, the kernel vulnerability.
“An elevation of privilege vulnerability in the kernel shared memory subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device,” Google said in its September Android security update.
This is the first time that Google has released three individual patch streams, and the company said it’s doing so in an effort to allow carriers and OEMs to get the security updates to users as quickly as possible. There are Sept. 1, Sept.5, and Sept. 6, patch streams, with the Sept. 6 stream comprising the complete set of fixes. The other two each contain a smaller subset of the patches.
There are patches for two critical vulnerabilities in the Sept. 1 stream, along with fixes for five high-severity flaws. The Sept. 5 patch stream includes fixes for four additional critical bugs, and the Sept. 6 version adds the patches for the kernel bug and the Qualcomm vulnerability.
Users who have Google Nexus devices are already getting the over-the-air update, while owners of other Android devices will need to wait for their carriers to push the updates out.