Notes and new factory images for the May Android patch are now available, with source code and updates rolling out.
Google's monthly security patch notes have a new name and a new purpose — they're now titled the Android Security Bulletin, and the scope has been broadened to include mention of vulnerabilities that affect phones and tablets that aren't Nexus branded from Google.
The updates for the Nexus line — both over the air or as a new factory image — haven't changed. OTA updates have begun their staggered roll out, and new factory images have been posted at Google's Developer site for manual downloading and installation. The new Security Patch Level date is May 1, 2016 and changes to the Android Open Source Project should be finished and published within 48 hours. Google also tells us that partners have had access to the warnings in this month's bulletin since April 4, 2016 or earlier.
According to Google, "The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."
In total, 25 security vulnerabilities have been addressed, ranging from critical to low in terms of their assessed severity. 24 of these fixes affect Nexus or Android One branded devices. Google also stresses that there have been zero reports of any devices actively exploited by these vulnerabilities, and that their platform-level security protections and service protections like SafetyNet make the risk of actually being affected low. A quick summary:
- Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
- The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services, and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.
- As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.
Full details of all the issues address can be found at the security bulletin site.
The most interesting part of this month's notice is the way the program has been renamed to drop the "Nexus" tag, and what that might mean. For starters, each vulnerability now identifies which of Google's own devices are affected, and exactly which devices and platform source versions will be updated.
Some, like vulnerabilities in the NVIDIA video driver address a kernel patch for all kernel versions of the Nexus 9 only. Others, like the previously mentioned Mediaserver vulnerability affect everything that's currently supported directly from Google: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9 and all Android One models as well as all versions of the AOSP from 4.4.4. This is Google's way to let everyone know that this patch encompasses security updates for all current devices and code, even if individual exploits don't affect certain phones and tablets.
Also worth noting — the Nexus Player and Pixel C are not mentioned by name in the document. This doesn't mean they won't be updated, of course, but we're not sure if anything has changed with these two models. I've reached out to Google for clarification, and will update when we know more.
That's not the only change to the program. Google has also specifically named a vulnerability that doesn't affect any of their hardware — a vulnerability in the Qualcomm Tethering controller. While many of the other vulnerabilities affect Android as a whole, this certain bug isn't part of Android that every device uses (unlike the Mediaserver, for example). By doing this, Google is letting users know that there are also patches outside the overall Android source that specific vendors will need to incorporate.
The patch source was made available directly to vendors and the source tree. Without actually saying as much, Google has put the folks making Android phones under the spotlight. Everything Google does means something — you don't steer a boat this big without making some waves. Seeing if there's any response from partners will be interesting (and telling), but we don't really expect any. I'm going to try and get some sit-down time with the right people at Google I/O 2016 and see what, if anything, these changes mean.
In the meantime, start checking for those OTA updates or get to flashing if you have a current Nexus.