Google fixes final ‘Quadrooter’ flaws with new security patch
The outstanding flaws were fixed a month after the initial disclosure.
http://www.zdnet.com/article/google-fixes-quadrooter-flaws-in-latest-round-of-android-security-patches/

What took Google a month to fix took others just a couple of weeks.

In the latest round of Android security fixes released Tuesday, the company fixed two remaining flaws that were part of the so-called “Quadrooter” set of vulnerabilities announced last month.

Quadrooter was particularly troublesome because the set of four flaws (hence the name “quad”) affected at least 900 million Android devices. These high-risk vulnerabilities would allow a dedicated and well-trained attacker to gain complete access to an affected phone and its data.

Google, which develops Android, said that most phones had received at least two or even three of the fixes in previous security bulletins. But the rest would remain outstanding for a month, until now, when the company released its regularly-scheduled monthly patches.

According to the bulletin, Google confirmed that the two escalation of privilege bugs — CVE-2016-2059 (rated “high”) and CVE-2016-5340 (rated “critical”) — were fixed.

The Android software and phone maker also fixed six more critical bugs in the mobile operating system, including two remote code execution flaw in core Android components.

All that means the time from when a flaw is identified or disclosed to when it is fixed is longer than it should be, sometimes leaving hundreds of millions of phones vulnerable for weeks or months.

“The problem continues to be that Android security updates are really hard because of [their] fragmented ecosystem,” said Check Point mobile security evangelist Jeff Zacuto told Recode.

Source: http://www.recode.net/2016/8/8/12403088/android-security-mess-quadrooter