Code changes are pushing out to AOSP, updates are coming for Nexus devices and factory images are posted and ready.
Google has released the lastest monthly Android security update, with full details and new software available. The new Security Patch Level date is June 1, 2016, and changes to the Android Open Source Project should be finished and published within 48 hours. Google also tells us that partners have had access to the warnings in this month's bulletin since May 2 or earlier.
Google says that there have been zero reports of any devices actively exploited by these vulnerabilities.
This month brings patches for 21 security vulnerabilities, ranging in severity from critical to moderate. According to Google, the most severe issue is "a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files." It appears that the Stagefright library continues to be a popular focus for security researchers as well as Google's security team, which makes splitting the media server out of the OS layer and updating separately in Android N even more important.
Google also stresses (as it does each month) that there have been zero reports of any devices actively exploited by these vulnerabilities, and that platform-level security protections and service protections like SafetyNet make the risk of actually being affected quite low.
A quick summary:
- Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
- The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services, and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.
- As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.
Full details of all the issues address can be found at the security bulletin site.
There is no word on when to expect the patch for any other Android-powered device, but current Nexus devices, Android One phones and the Pixel C have an update pushing out over-the-air starting today, and it should be rolled out to all devices in due time. If you're the impatient type (and if so, why aren't you running the Android N Beta?) you can flash the factory images posted at Google's Developer site.