Welcome back to another thrilling episode of Google's Monthly Security Update. February has arrived, and that means it is time for Google to outline all of the patches being made to Android and point out who made those patches.
For the uninitiated, Google (and the Android Open Source Project) accepts contributions from external sources as well as the teams inside Google. Every month these contributions are sent to Google's partners so they can update their own devices, and roughly a month later those updates are pushed to the Nexus line. Some partners are really good about updating their products, but this monthly cycle is still a challenge for many companies using Android on their products.
Here's what's being fixed this month.
The issues marked Critical by Google's internal team this month are all about escalation of privileges and remote code execution. The February update will address remote code issues in a Broadcom Wifi driver as well as the Mediaserver, while dealing with escalation issues in Qualcomm's performance module, Wifi driver, and debugger daemon. There also are escalation vulnerabilities being addressed in the general Android Wifi and Mediaserver systems, but these issues were marked High instead of Critical in Google's severity list. An update to the Minikin library addressed a possible Denial of Service vulnerability as well.
As always, Google claims there are no reports of active customer exploitation using the issues that have been reported and and patched in this update.
Two CVE markers labeled Moderate by Google point to a way to bypass the factory reset protection in the Android setup wizard, and these issues have been patched. While Google has marked this issue Moderate, it's important to understand what this issue means for users. A vulnerability existed that allowed someone who knew how to bypass the security measure that keeps someone from accessing your phone just by performing a factory reset. As is often the case, Google claims there are no reports of active customer exploitation using the issues that have been reported and and patched in this update.
Nexus users who want to flash this update right now can head to the Google Developer site and grab the latest release for flashing. An OTA update with this patch will be available to Nexus phones and tablets in the immediate future, though BlackBerry Priv owners may have noticed this OTA update was available this morning and can be installed now. See you next month!