Google has been releasing monthly security patches like clockwork ever since it revamped the Android security model in the wake of Stage Fright. Samsung and LG are also trying to keep up with the monthly patches, but not always with the most success. LG's getting the jump on Google today, though. It has posted the January security bulletin a little early with information on Google and LG-specific patches.

You can check LG's security page for the full list of patches (under the LG Security Bulletin tab). There are 81 total patches from Google and LG. Eight of them are for LG devices only. LG's page links to the Google security bulletin page, but of course that still shows the December patch info. You can expect more detail on the Google patches when Mountain View gets around to posting its update next week. Some are already public and include things like arbitrary code execution and kernel privilege escalation flaws.

LG has descriptions of all its internal bugs, one of which is critical and involves user data leaking on MediaTek devices. The high and moderate level patches cover various privilege escalation vulnerabilities. These patches will be delivered to devices like the G3, G4, G4 Stylus, G5, V10, V20, CK, and G Stylo. There are no specifics on release date, which will vary by carrier and region.

LG Mobile Security Maintenance Release Summary (SMR)

The January Security Bulletin contains the 81 patches for the vulnerabilities from Google and LG. The most severe of these vulnerabilities is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The security patch level is [2017-01-01] and the patches contains the fix for the 73 CVE items and the 8 LVE items. The LG vulnerabilities and exposures (LVE) items are described in detail below.

Security issues Summary

CVE Items from Google patch (Android Bulletin January 2016)
  • critical:
    CVE-2017-0381, CVE-2016-5180, CVE-2016-8411, CVE-2016-4794, CVE-2016-5195, CVE-2015-8966, CVE-2016-9120
  • high:
    CVE-2017-0382, CVE-2017-0383, CVE-2017-0384, CVE-2017-0385, CVE-2017-0386, CVE-2017-0387, CVE-2017-0388, CVE-2016-3911, CVE-2016-6710, CVE-2017-0389, CVE-2017-0390, CVE-2017-0391, CVE-2017-0392, CVE-2017-0393, CVE-2017-0394, CVE-2014-4014, CVE-2015-8967, CVE-2016-6778, CVE-2016-6779, CVE-2016-6780, CVE-2016-6492, CVE-2016-6781, CVE-2016-6782, CVE-2016-6783, CVE-2016-6784, CVE-2016-6785, CVE-2016-6758, CVE-2016-6759, CVE-2016-6760, CVE-2016-6761, CVE-2016-6755, CVE-2016-6786, CVE-2016-6787, CVE-2016-6788, CVE-2016-6791, CVE-2016-8391, CVE-2016-8392, CVE-2015-7872, CVE-2016-8393, CVE-2016-8394, CVE-2014-9909, CVE-2014-9910, CVE-2016-1583, CVE-2016-8396, CVE-2016-5341
  • moderate:
    CVE-2017-0395, CVE-2017-0396, CVE-2017-0397, CVE-2017-0398, CVE-2017-0399, CVE-2017-0400, CVE-2017-0401, CVE-2017-0402, CVE-2016-6720, CVE-2016-8399, CVE-2016-6756, CVE-2016-6757, CVE-2016-8401, CVE-2016-8402, CVE-2016-8403, CVE-2016-8404, CVE-2016-8405, CVE-2016-8406, CVE-2016-8407, CVE-2016-8410
  • low:
    CVE-2016-6690
LG Vulnerabilities and Exposures(LVE) Items from LG
  • critical:
    LVE-SMP-160019
  • high:
    LVE-SMP-160013, LVE-SMP-160014
  • moderate:
    LVE-SMP-160011, LVE-SMP-160015, LVE-SMP-160017, LVE-SMP-160018
  • low:
    LVE-SMP-160012

Security issues Details

You can see the detail information on Google patches from Android Security Bulletin site.There is a description of the security issue, a severity, affected devices information and date reported.

LVE-SMP-160019

  • Severity : Critical
  • Date reported : Nov 17, 2016
  • Affected device Informaion : L(5.0/5.1), M(6.0/6.0.1), N(7.0) devices with MTK chipset
  • Description :
    MTKLogger application that logs personal information to storage without user consent can be started by third-party application without user consent.

LVE-SMP-160013

  • Severity : High
  • Date reported : Nov 15, 2016
  • Affected device Informaion : Devices with LG Touchscreen driver
  • Description :
    An elevation of privilege vulnerability in write_file/write_log of LG touch driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

LVE-SMP-160014

  • Severity : High
  • Date reported : Nov 15, 2016
  • Affected device Informaion : L(5.0.2), M(6.0) device using LG felica driver
  • Description :
    An elevation of privilege vulnerability in the LG felica drivers can be exploited to gain read/write access to kernel memory.

LVE-SMP-160017

  • Severity : Moderate
  • Date reported : Nov 15, 2016
  • Affected device Informaion : Devices with LG Touchscreen driver
  • Description :
    An elevation of privilege vulnerability in touch_synaptics/reg_ctrl of LG touch driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

LVE-SMP-160018

  • Severity : Moderate
  • Date reported : Nov 15, 2016
  • Affected device Informaion : L(5.0/5.1), M(6.0/6.0.1), N(7.0) devices with LG fc8080 tdmb driver
  • Description :
    Elevation of privilege vulnerability in LG fc8080 tdmb driver could enable usermode supplies a kernel address as the ioctl argument, this will result in kernel memory corruption and can likely be exploited to achieve privilege elevation.

LVE-SMP-160012

  • Severity : Moderate
  • Date reported : Nov 15, 2016
  • Affected device Informaion : L(5.0/5.1), M(6.0/6.0.1), N(7.0) devices using snapdragon 801, 808, 820
  • Description :
    Directory traversal vulnerability in lghashstorageserver binder service could enable an app to read and write 0x20 bytes from any files in the context of the lghashstorageserver. It will result in system file compromised and can be likely to be exploited to achieve privilege elevation.
Acknowledgements
We would like to thank the following researchers for their contributions.
  • Mark Brand of Google Project Zero : LVE-SMP-160011,LVE-SMP-160012,LVE-SMP-160013,LVE-SMP-160014,LVE-SMP-160015,LVE-SMP-160017,LVE-SMP-160018
  • Source:
  • LG