BlackBerry have promised to deliver security patches on a monthly basis for the BlackBerry Priv, and so far they are keeping good on that promise.
The company has today rolled out the April Security upgrade (AAE298) to BlackBerry Priv’s worldwide.
The update comes in at 20.9Mb and updates 52 apps.
It should be noted that whilst this security update includes Google’s April Security update, BlackBerry have not updated the build number, which is still AAE298 from the March supplementary update last month.
The following vulnerabilities have been remediated in this update: [table style=”table-striped”]
Summary Description CVE Remote Code Execution Vulnerability in DHCPD A vulnerability in the Dynamic Host Configuration Protocol service could enable an attacker to cause memory corruption, which could lead to remote code execution. CVE-2016-1503 Remote Code Execution Vulnerabilities in Mediaserver During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. CVE-2016-0837 CVE-2016-0838 CVE-2016-0841 Elevation of Privilege Vulnerability in Qualcomm RF component A vulnerability in the Qualcomm RF driver could enable a local malicious application to execute arbitrary code within the context of the kernel. CVE-2016-0844 Elevation of Privilege Vulnerability in IMemory Native Interface An elevation of privilege vulnerability in the IMemory Native Interface could enable a local malicious application to execute arbitrary code within the context of an elevated system application. CVE-2016-0846 Elevation of Privilege Vulnerability in Telecom Component An elevation of privilege vulnerability in the Telecom Component could enable an attacker to spoof calls to appear from any arbitrary number. CVE-2016-0847 Elevation of Privilege Vulnerability in Download Manager An elevation of privilege vulnerability in the Download Manager could enable an attacker to gain access to unauthorized files in private storage. CVE-2016-0848 Elevation of Privilege Vulnerability in Recovery Procedure An elevation of privilege vulnerability in the Recovery Procedure could enable a local malicious application to execute arbitrary code within the context of an elevated system application. CVE-2016-0849 Elevation of Privilege Vulnerability in Bluetooth An elevation of privilege vulnerability in Bluetooth could enable an untrusted device to pair with the phone during the initial pairing process. This could lead to unauthorized access of the device resources, such as the Internet Connection. CVE-2016-0850 Elevation of Privilege Vulnerability in a Qualcomm Video Kernel Driver An elevation of privilege vulnerability in a Qualcomm video kernel driver could enable a local malicious application to execute arbitrary code within the context of the kernel. CVE-2016-2410 Elevation of Privilege Vulnerability in Qualcomm Power Management component An elevation of privilege vulnerability in a Qualcomm Power Management kernel driver could enable a local malicious application to execute arbitrary code within the context of the kernel. CVE-2016-2411 Elevation of Privilege Vulnerability in System_server An elevation of privilege vulnerability in System_server could enable a local malicious application to execute arbitrary code within the context of an elevated system application. CVE-2016-2412 Elevation of Privilege Vulnerability in Mediaserver An elevation of privilege vulnerability in mediaserver could enable a local malicious application to execute arbitrary code within the context of an elevated system application. CVE-2016-2413 Denial of Service Vulnerability in Minikin A denial of service vulnerability in the Minikin library could allow a local attacker to temporarily block access to an affected device. An attacker could cause an untrusted font to be loaded and cause an overflow in the Minikin component which leads to a crash. CVE-2016-2414 Information Disclosure Vulnerability in Exchange ActiveSync An information disclosure vulnerability in Exchange ActiveSync could enable a local malicious application to gain access to user’s private information. CVE-2016-2415 Information Disclosure Vulnerabilities in Mediaserver Information disclosure vulnerabilities in mediaserver could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. CVE-2016-2416 CVE-2016-2417 Elevation of Privilege Vulnerability in Setup Wizard A vulnerability in the Setup Wizard could allow a malicious attacker to bypass the Factory Reset Protection and gain access to the device. CVE-2016-2421 Elevation of Privilege Vulnerability in Wi-Fi An elevation of privilege vulnerability in Wi-Fi could enable a local malicious application to execute arbitrary code within the context of an elevated system application. CVE-2016-2422 Elevation of Privilege Vulnerability in Telephony A vulnerability in Telephony could allow a malicious attacker to bypass the Factory Reset Protection and gain access to the device. CVE-2016-2423 Denial of Service Vulnerability in SyncStorageEngine A denial of service vulnerability in the SyncStorageEngine could enable a local malicious application to cause a reboot loop. CVE-2016-2424 Information Disclosure Vulnerability in Framework An information disclosure vulnerability in the Framework component could allow an application to access sensitive information. CVE-2016-2426 Information Disclosure Vulnerability in BouncyCastle An information disclosure vulnerability in BouncyCastle could allow an authentication key to be leaked. CVE-2016-2427 Elevation of Privilege Vulnerability in the Kernel An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code within the context of the kernel.
[/table] If you own a Priv and are not seeing the system update message, you can check manually by heading into Settings -> About phone -> System updates and checking manually.
