Google is releasing monthly Android security updates, and you can read all of the details in the Nexus Security Bulletins. I’ll write a summary of each month’s update for TechRepublic readers.
Without further ado, here’s the March 2016 briefing.
Highlights of the March 2016 Android Security Update
There are 16 issues in the update: 6 are Critical, 8 are High, and 2 are Moderate. The vulnerabilities I list below illustrate the variety of fixes Google has patched this month.
Critical vulnerabilities
The security updates range from privilege vulnerabilities, remote code execution vulnerabilities, remote denial of service vulnerabilities, and mitigation bypass vulnerabilities.
- The most critical issue was remote code execution vulnerabilities in Mediaserver and libvpx. The flaw could have allowed a third party to use MMS media or browser playback media to execute malicious code on either a smartphone or a tablet. Google has released fixes for all iterations of Android, going back to 4.4.4.
- Elevation of Privilege in Conscrypt: This vulnerability could allow a specific type of invalid certificate (one issued by an intermediate Certificate Authority) to be incorrectly trusted. This particular vulnerability would allow man-in-the-middle attacks, as well as an elevation of privilege and remote arbitrary code execution.
- Elevation of Privilege Vulnerability in MediaTek Wi-Fi Kernel Driver: The Wi-Fi kernel driver contained a vulnerability that could enable a local malicious application to execute arbitrary code within the kernel, thus allowing elevation of privilege.
High vulnerabilities
- Information Disclosure Vulnerability in Kernel: This vulnerability could permit a bypass of security measures put in place (such as ASLR in a privileged process) to increase the difficulty of platform exploitation.
- Information Disclosure Vulnerability in libstagefright: This vulnerability could permit a bypass of security measures in place (such as Signature or SignatureOrSystem permission privileges) to increase the difficulty of attackers exploiting the platform.
- Information Disclosure Vulnerability in Widevine: This vulnerability could allow code running in the kernel context to access information in TrustZone secure storage.
- Remote Denial of Service Vulnerability in Bluetooth: This vulnerability could allow a proximal attacker to block access to an affected device. The end result would cause an overflow of identified Bluetooth devices and lead to memory corruption and service stoppage.
Moderate vulnerabilities
- Information Disclosure Vulnerability in Telephony: This vulnerability could allow an application access to sensitive information.
- Elevation of Privilege Vulnerability in Setup Wizard: This vulnerability could enable an attacker with physical access to the affected device to perform a manual device reset.
See if your device has the latest update
As of this writing, the security update hasn’t rolled out to all devices. My Verizon-branded Nexus 6 has yet to see the update hit.
To check to see if your device has updated to the latest security patch, go to Settings | About Phone and scroll down to Android Security Patch Level. If you see March 1, 2016, your device is current. If your device reads February 1, 2016 (Figure A), check back regularly to ensure the update does eventually reach your device. You might also go to Settings | About Phone | System Updates and tap CHECK FOR UPDATE.
Figure A
My device is not showing the March 2016 update yet.
To get a full listing of what was patched, check out the March 2016 Security Update bulletin.
Check back next month for my recap of the April 2016 Security Updates. Until then, keep your Android device up to date.