Nexus Player Getting April Security Update

Google’s monthly security bulletin, outlining a number of vulnerabilities in the Android operating system and including patches, has just been published. This month has a notable 29 different vulnerabilities ranging from moderate to critical severity. The Nexus Player should be receiving a fix in the next couple of days, at least for those still on Android Marshmallow. It’s not clear when these will be rolling out to those on the Android N beta. In your settings, under about, users can check the month and year of the last security patch.

Remote Code Execution

A number of remote code vulnerabilities have been patched. This exploit occurs when an attacker overflows some internal memory buffer beyond a normal range. This overflowed rogue data can be placed into other areas of the system memory including the program controller. The controller may then stop executing normal system code and instead execute some commands supplied by the attacker. This can be mitigated in some cases by having a sandbox system, when executable code may only be run in particular conditions such as if a user grants a permission.

Remote code execution exploits have been discovered in several parts of the OS: the Dynamic Host Configuration Protocol (DHCP), MediaServer, and libstagefright. As these are key to the device, they have a higher privilege and greater access to internal systems. All three reports have been marked as being critical priority as it would be possible for an attacker to run this exploit on a phone in a number of apps which use the MediaServer or Stagefright (through most apps that show user-generated images or videos).

Elevation Privilege

Similarly, breaking out of the sandbox model and running particular code can cause a device to become inoperable by the user. Elevation privilege exploits were reported in the kernel, download manager, several Qualcomm modules, MediaServer, System_server, setup wizard, Wi-Fi, and Telephony.

Other Fixes

The remaining few reports include a denial of service vulnerability, when a user is unable to access a device or service, in the SyncStorageEngine and the Minikin library.

Nick Felker

Nick Felker

Nick Felker is a student Electrical & Computer Engineering student at Rowan University (C/O 2017) and the student IEEE webmaster. When he's not studying, he is a software developer for the web and Android (Felker Tech). He has several open source projects on GitHub ( Devices: Moto G-2013 Moto G-2015, Moto 360, Google ADT-1, Nexus 7-2013 (x2), Lenovo Laptop, Custom Desktop. Although he was an intern at Google, the content of this blog is entirely independent and his own thoughts.

More Posts - Website

Follow Me:
TwitterLinkedInGoogle PlusReddit