It’s June, so as we’ve seen every month since Google announced they would be announcing monthly security vulnerabilities and releasing patches for them, Google has released their monthly security blog, as well as updated the factory images for supported Nexus devices and also added OTA files for them as well.
The factory images can be flashed onto your device, but you may want to check out the OTA updates which are probably a bit easier and integrate with your phone or tablet a little easier. The Nexus Player, Nexus 5, Nexus 6, Nexus 7 (Wi-Fi & GSM) and Nexus 9 (Wi-Fi & LTE) all are on build MOB30M, while the Nexus 5X and 6P are on MTC19V. The Pixel C stands alone with build number MXC89H.
The list of vulnerabilities this month include 21 issues with sub-issues listed by their Common Vulnerability and Exposures ID (CVE), in all there are six critical, eleven high and four moderate issues to report this month. Google has laid them out in a nice table in their security blog, or you can see them here:
| Issue | CVE | Severity | Affects Nexus? |
|---|---|---|---|
| Remote Code Execution Vulnerability in Mediaserver | CVE-2016-2463 | Critical | Yes |
| Remote Code Execution Vulnerabilities in libwebm | CVE-2016-2464 | Critical | Yes |
| Elevation of Privilege Vulnerability in Qualcomm Video Driver | CVE-2016-2465 | Critical | Yes |
| Elevation of Privilege Vulnerability in Qualcomm Sound Driver | CVE-2016-2466 CVE-2016-2467 |
Critical | Yes |
| Elevation of Privilege Vulnerability in Qualcomm GPU Driver | CVE-2016-2468 CVE-2016-2062 |
Critical | Yes |
| Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver | CVE-2016-2474 | Critical | Yes |
| Elevation of Privilege Vulnerability in Broadcom Wi-Fi Driver | CVE-2016-2475 | High | Yes |
| Elevation of Privilege Vulnerability in Qualcomm Sound Driver | CVE-2016-2066 CVE-2016-2469 |
High | Yes |
| Elevation of Privilege Vulnerability in Mediaserver | CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 |
High | Yes |
| Elevation of Privilege Vulnerability in Qualcomm Camera Driver | CVE-2016-2061 CVE-2016-2488 |
High | Yes |
| Elevation of Privilege Vulnerability in Qualcomm Video Driver | CVE-2016-2489 | High | Yes |
| Elevation of Privilege Vulnerability in NVIDIA Camera Driver | CVE-2016-2490 CVE-2016-2491 |
High | Yes |
| Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver | CVE-2016-2470 CVE-2016-2471 CVE-2016-2472 CVE-2016-2473 |
High | Yes |
| Elevation of Privilege Vulnerability in MediaTek Power Management Driver | CVE-2016-2492 | High | Yes |
| Elevation of Privilege Vulnerability in SD Card Emulation Layer | CVE-2016-2494 | High | Yes |
| Elevation of Privilege Vulnerability in Broadcom Wi-Fi Driver | CVE-2016-2493 | High | Yes |
| Remote Denial of Service Vulnerability in Mediaserver | CVE-2016-2495 | High | Yes |
| Elevation of Privilege Vulnerability in Framework UI | CVE-2016-2496 | Moderate | Yes |
| Information Disclosure Vulnerability in Qualcomm Wi-Fi Driver | CVE-2016-2498 | Moderate | Yes |
| Information Disclosure Vulnerability in Mediaserver | CVE-2016-2499 | Moderate | Yes |
| Information Disclosure Vulnerability in Activity Manager | CVE-2016-2500 | Moderate | Yes |
You can get the OTA files or Factory images from the Nexus developer page, but remember you’ll have to accept the terms and conditions for use before you can jump in there.
Just downloaded june security update S7 on Vodafone, previously was February came installed on it
I still haven’t installed the last one. Yup.. left that notification sitting there for the last ~ 3 weeks now.
Looking forward to Android N no longer needing to check each app after the security update. With over 100 apps on my phone, it renders my phone unusable for almost an hour.
You know what’s funny, for the first time my Vodafone s7 edge had this Android security update since Saturday, 3 days before the nexus. Didn’t think it was possible.
It was probably a previous month update.
It’s possible, partners get Android security patches early 🙂
I know. I work for a Android oem :P, no ama sorry.