We already know that the January security patch will start being deployed in the first few weeks of 2017, but we had no idea what it might contain. Google hasn’t yet confirmed when it will release the security update nor its contents.
Luckily, US-based carrier Verizon confirmed the January security patch will be available early next year, so we’re probably less than a week away from its release.
But if you want to know the contents of this update before Google launches it, then you’re in luck since LG has done the unthinkable and published the entire January security bulletin before the search giant could do it.
“The January Security Bulletin contains the 81 patches for the vulnerabilities from Google and LG. The most severe of these vulnerabilities is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files,” reads the bulletin.
LG has patched eight vulnerabilities of its own
Aside from the vulnerabilities mentioned earlier, LG also revealed some vulnerabilities and exposures (LVE) items of its own. There are eight LVE items from LG: 1 critical, 2 high, 4 moderate, and 1 low.
The critical vulnerability refers to LG smartphones powered by MediaTek chipset, as the MTKLogger application that logs personal information to storage without user consent can be started by third-party application without user content.
This is not the first time that MediaTek is being called out as a security liability, as the Taiwanese chipset maker is known for hiding third-party monitoring software from handset makers.
The high vulnerability addressed in the January security patch refers to devices with LG Touchscreen driver. Here is its full description: “an elevation of privilege vulnerability in write_file/write_log of LG touch driver could enable a local malicious application to execute arbitrary code within the context of the kernel.”
Make sure to check out below the full list of vulnerabilities and exposures (LVE) items included in the January security patch.