We may earn a commission for purchases using our links. Learn more.
Last week, BlackBerry began pushing their first formal update to BlackBerry Priv owners with improvements the camera, device performance, stability and of course, security. The security improvements portion of the update were not outlined at the time but now that Google has gone live with their December 2015 Security Bulletin, BlackBerry has laid out the specifics that apply to Priv.
In total, sixteen Common Vulnerability and Exposures ID have been patched and according to Google there are no active reports of any active exploits through these vulnerabilities. As we learned early on from BlackBerry, they've committed to keeping up with the Android monthly security updates, so this kind of detail is something we can expect to see every month from BlackBerry going forward. Have a look through what all was patched.
Remote Code Execution Vulnerability in Mediaserver - During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process. The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. - CVE-2015-6616
Remote Code Execution Vulnerability in Skia - A vulnerability in the Skia component may be leveraged when processing a specially crafted media file that could lead to memory corruption and remote code execution in a privileged process. - CVE-2015-6617
Remote Code Execution Vulnerability in Bluetooth - A vulnerability in Android's Bluetooth component could allow remote code execution from a successfully paired device, after the personal area network (PAN) profile is enabled (for example using Bluetooth Tethering) and the device is paired. The remote code execution would be at the privilege of the Bluetooth service. A device is only vulnerable to this issue from a successfully paired device while in local proximity. - CVE-2015-6618
Elevation of Privilege Vulnerabilities in libstagefright - Multiple vulnerabilities in libstagefright can enable a local malicious application to execute arbitrary code within the context of the mediaserver service. - CVE-2015-6620
Elevation of Privilege Vulnerability in SystemUI - When setting an alarm using the clock application, a vulnerability in the SystemUI component can allow an application to execute a task at an elevated privilege level. - CVE-2015-6621
Information Disclosure Vulnerability in Native Frameworks Library - An information disclosure vulnerability in Android Native Frameworks Library can permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. - CVE-2015-6622
Information Disclosure Vulnerabilities in libstagefright - Information disclosure vulnerabilities in libstagefright, during communication with mediaserver, can permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. - CVE-2015-6626, CVE-2015-6631, CVE-2015-6632
Information Disclosure Vulnerability in Audio - A vulnerability in the Audio component can be exploited during audio file processing. This vulnerability could allow a local malicious application, during processing of a specially crafted file, to cause information disclosure. - CVE-2015-6627
Information Disclosure Vulnerability in Media Framework - An information disclosure vulnerability in Media Framework, during communication with mediaserver, can permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. - CVE-2015-6628
Information Disclosure Vulnerability in Wi-Fi - A vulnerability in the Wi-Fi component could allow an attacker to cause the Wi-Fi service to disclose information. - CVE-2015-6629
Information Disclosure Vulnerability in SystemUI - An information disclosure vulnerability in the SystemUI can enable a local malicious application to gain access to screenshots. - CVE-2015-6630
Although not all Priv owners have received the update as of yet, which is still expected to begin rolling out through carriers at some point today, it's still interesting that BlackBerry was able to get these updates rolling out to unlocked BlackBerry Priv's ahead of Google's official announcement of the changes and ultimately Nexus devices, who have also started receiving the update today.
BlackBerry powered by Android Security Bulletin – December 2015
Read more
Verizon now rolling out software update for the BlackBerry Priv
Have a BlackBerry Priv on Verizon? Surprise! You'll want to go ahead and check for updates as many folks have now started receiving a software update.
BlackBerry Priv will no longer receive monthly updates going forward
A new post on the Inside BlackBerry Blog from Alex Thurber has laid out the status of monthly updates for the Priv as the device has now moved well beyond the two years of monthly software updates BlackBerry originally committed to.
BlackBerry begins rollout of September Android security update
Although it hasn't been noted by @BBSIRT yet, BlackBerry has now begun the rollout of the September Android security update according to a new post on the BlackBerry Knowledge Base.
Verizon BlackBerry Priv owners can now download software AAN368
Verizon has now begun sending out software AAN368 which is noted to have been tested to optimize device performance, resolve known issues and apply the latest security patches.