Google has today released their monthly security update notice for March, advising their partners of new vulnerabilities that have been patched. The announcement of new security vulnerabilities also means that Google has updated their Nexus Factory Images for selected Nexus devices.
The list of vulnerabilities released includes the Common Vulnerability and Exposure ID (CVE) listed by their severity. The severity of each vulnerability is assesed by the effect that actually seeing an exploit for each CVE would have, if the platform and service mitigations were bypassed or disabled.
This month, Google has patched six critical, eight high and two moderate severity vulnerabilities. which you can see listed in the table below.
| Issue | CVE | Severity |
|---|---|---|
| Remote Code Execution Vulnerability in Mediaserver | CVE-2016-0815 CVE-2016-0816 |
Critical |
| Remote Code Execution Vulnerabilities in libvpx | CVE-2016-1621 | Critical |
| Elevation of Privilege in Conscrypt | CVE-2016-0818 | Critical |
| Elevation of Privilege Vulnerability in the Qualcomm Performance Component |
CVE-2016-0819 | Critical |
| Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver | CVE-2016-0820 | Critical |
| Elevation of Privilege Vulnerability in Keyring Component | CVE-2016-0728 | Critical |
| Mitigation Bypass Vulnerability in the Kernel | CVE-2016-0821 | High |
| Elevation of Privilege in MediaTek Connectivity Driver | CVE-2016-0822 | High |
| Information Disclosure Vulnerability in Kernel | CVE-2016-0823 | High |
| Information Disclosure Vulnerability in libstagefright | CVE-2016-0824 | High |
| Information Disclosure Vulnerability in Widevine | CVE-2016-0825 | High |
| Elevation of Privilege Vulnerability in Mediaserver | CVE-2016-0826 CVE-2016-0827 |
High |
| Information Disclosure Vulnerability in Mediaserver | CVE-2016-0828 CVE-2016-0829 |
High |
| Remote Denial of Service Vulnerability in Bluetooth | CVE-2016-0830 | High |
| Information Disclosure Vulnerability in Telephony | CVE-2016-0831 | Moderate |
| Elevation of Privilege Vulnerability in Setup Wizard | CVE-2016-0832 | Moderate |
OEMs who announced monthly security patches such as LG and Samsung are now able to draw the patches from AOSP to build into their own software and release patches, which will of course, for carrier locked models, have to go through testing by those carriers before release.
For the majority of Nexus devices, at least those purchased from the Google Store, there is no such wait – no, Telstra isn’t blocking those updates, we checked – and OTA updates of the March security patch will begin shortly. If you can’t wait, you can of course dirty flash the factory images which have been released for the Nexus 5, 5X, 6, 7 (2013) Wi-Fi and LTE, 9 Wi-Fi and LTE, and Nexus Player – that’s right, the Nexus 6P is still not updated as yet, but shouldn’t be too far away.
The Nexus like Pixel C gets an update as well, with factory image 6.0.1 (MXC14G) now available to download, but again, OTA updates for the Pixel C should be arriving soon too.
I wonder if there will be another version bump before N. Good to see constant security patches from Google though.