Google Publishes May’s Android Security Bulletin – Here’s What’s New
You might remember that last year Google promised to be more transparent with patching security vulnerabilities. Google promised to deliver monthly updates fixing any vulnerabilities they discovered that affected Nexus devices. Eventually, several OEMs have gotten on board with delivering monthly security patches, and eventually the scope of the Nexus Security Bulletin was broadened to discover and patch many general Android security issues. To reflect this change in scope, Google has announced that starting this month, they’ve renamed the Nexus Security Bulletin to the Android Security Bulletin. And as promised, they’ve just posted this month’s set of security patches.
This month, Google has identified and patched a total of 25 security vulnerabilities. For the severities of the discovered vulnerabilities, 6 were marked as critical, 12 as high, 6 as moderate, and 1 was marked as low. Of these vulnerabilities, 24 out of 25 affected Nexus or Android One devices. By far the most critical security issue patched by Google was an issue affecting mediaserver which allowed for remote code execution. A user who opened an infected media file from any method (by email, web browsing, MMS, etc.) could have triggered code to remotely executive on their device without your knowledge or consent. According to Google, there have been no reports that this vulnerability was exploited in a real-world setting, at least.
For a list of all other security vulnerabilities discovered and patched by Google, you can read the full Android Security Bulletin for the month of May. As you’ll notice, many of the vulnerabilities discovered are quite broad (such as the ones related to NVIDIA’s video drivers or Qualcomm’s Wi-Fi drivers) and apply to more than just Google’s Nexus devices, so it’s imperative that you accept the update as soon as you are able to no matter what device you use.
- Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. All users are encouraged to update to the latest version of Android where possible.
- The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services, and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.
- As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.
When do I get the Update?
Luckily for Google Nexus device owners, you should start seeing this update very soon on your device. As usual, the update is rolling out to users in waves so you may or may not receive it immediately. There’s always the factory image route if you would rather not wait. If you’re waiting for a custom ROM to implement these updates, then you’ll have to wait for the updated source to drop into the AOSP within the next 2 days.
For users on devices made by other manufacturers, your wait time will vary.Google’s partners were notified of these security issues identified in this bulletin by April 4, 2016, so OEMs have had plenty of time patching their own custom builds of Android to fix these security holes. You should expect an update to roll out sometime this month, but remember that these updates always reach people in waves and that OEMs like to bundle their own feature updates alongside these patches, which may delay the update. The Nextbit Robin, for instance, pushed out an update on April 27th that patched the security issues mentioned in April’s security bulletin.
What are your thoughts on Google’s pro-active stand on Android security? Is this an improvement over past promises? Or is their current course of action also questionable? Let us know your thoughts in the comments below!