Pretty soon your Nexus Player will receive an OS update notification because it is time for March’s security update. The security bulletin, published today, contains a number of fixes in various parts of the operating system related to elevation of privilege. It’s not likely issues the average user will encounter, but any type of security vulnerability should be resolved quickly.
Google’s MediaServer APIs are a frequent target for vulnerabilities. Due to media management being so prevalent throughout the operating system and core apps, it is an easy way to attack users. A corrupted video on a website or a rogue attachment to a text message could cause a number of serious problems for the user.
Two of the bugs reported allowed remote code execution with a specific type of media file. The MediaServer, being an integral system component, has access to more parts of the device than a standard app. A rogue media playing application could cause privilege elevation and allow the app to do things it normally could not.
Bluetooth Denial of Service
Another potentially relevant fix is related to Bluetooth. Bluetooth is the communication protocol that wireless remotes and gamepads use to communicate with your TV. An attacker could cause a device to discover a significant number of Bluetooth enabled devices in the nearby area. This would cause the Bluetooth service to crash due to an overflow of devices. The Bluetooth service would continue to crash every time the device starts, and could only be fixed by factory resetting the device.
Other Security Fixes
There are a number of other security fixes that Google highlights. A number of them were rated as critical flaws, meaning the fixes are appreciated.
The Nexus Player (codenamed Fugu) has the OS image available to download from Google’s website if you’re too impatient to wait for the OTA update.