The first Monday of every month has become the day when Google updates the Android operating system with security patches from issues that were reported. These audits come from internal teams or from security researchers. Along with these patches, Google publishes images for the Nexus devices and they receive OTA updates within the following days. These security updates occur separately from the OS, so your phone may stay on Marshmallow even while Nougat is in a developer preview.
Google, starting last month, has been publishing two updates: one contains a few major fixes that every OEM should implement, and the second may be specifically for Nexus devices or perhaps specific hardware.
Below are some of the more interesting highlights, although you can read the entire thing in their security bulletin.
MediaServer Remote Execution
The MediaServer has been a component that’s highly vulnerable, partially due to how much it’s used. It processes different types of media and may be called upon by the operating system, system apps, or third-party apps. Since it deals with all kinds of media, it’s possible for it to read in a specific, corrupt file that causes the file to execute code on the device. It’s a pretty major vulnerability, especially if it can access your contacts and send the message to other users.
DoS in System Clock
This one is rather interesting. A malicious actor could cause your device to crash by performing a denial of service attack on the system clock. This clock, which is vital for keeping activities and processes scheduled, is also a vulnerability since it’s failure could prevent processes from executing at the right time and the phone would be able to run.
Qualcomm is a major company for phone chips, which also means there’s a lot of opportunities to find issues in their hardware interfaces. There were several major vulnerabilities found, including remote execution in the Nexus 7 Wi-Fi driver and kernel access in the Nexus 7 and Nexus 5.
A privilege escalation issue was found in their GPU, allowing malicious apps from having more control over the device than they should.
Update your device!
When you get that notification to update your device, it should be done as soon as you can. There are many vulnerabilities that exist in today’s complex systems. We’re doing a better job of finding and fixing them, but it’s partially on the user to keep things up-to-date.