Google's monthly security patch notes have a new name and a new purpose — they're now titled the Android Security Bulletin, and the scope has been broadened to include mention of vulnerabilities that affect phones and tablets that aren't Nexus branded from Google.
The updates for the Nexus line — both over the air or as a new factory image — haven't changed. OTA updates have begun their staggered roll out, and new factory images have been posted at Google's Developer site for manual downloading and installation. The new Security Patch Level date is May 1, 2016 and changes to the Android Open Source Project should be finished and published within 48 hours. Google also tells us that partners have had access to the warnings in this month's bulletin since April 4, 2016 or earlier.
According to Google, "The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."
In total, 25 security vulnerabilities have been addressed, ranging from critical to low in terms of their assessed severity. 24 of these fixes affect Nexus or Android One branded devices. Google also stresses that there have been zero reports of any devices actively exploited by these vulnerabilities, and that their platform-level security protections and service protections like SafetyNet make the risk of actually being affected low. A quick summary:
- Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
- The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services, and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.
- As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.
Full details of all the issues address can be found at the security bulletin site.
The most interesting part of this month's notice is the way the program has been renamed to drop the "Nexus" tag, and what that might mean. For starters, each vulnerability now identifies which of Google's own devices are affected, and exactly which devices and platform source versions will be updated.
Some, like vulnerabilities in the NVIDIA video driver address a kernel patch for all kernel versions of the Nexus 9 only. Others, like the previously mentioned Mediaserver vulnerability affect everything that's currently supported directly from Google: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9 and all Android One models as well as all versions of the AOSP from 4.4.4. This is Google's way to let everyone know that this patch encompasses security updates for all current devices and code, even if individual exploits don't affect certain phones and tablets.
Also worth noting — the Nexus Player and Pixel C are not mentioned by name in the document. This doesn't mean they won't be updated, of course, but we're not sure if anything has changed with these two models. I've reached out to Google for clarification, and will update when we know more.
That's not the only change to the program. Google has also specifically named a vulnerability that doesn't affect any of their hardware — a vulnerability in the Qualcomm Tethering controller. While many of the other vulnerabilities affect Android as a whole, this certain bug isn't part of Android that every device uses (unlike the Mediaserver, for example). By doing this, Google is letting users know that there are also patches outside the overall Android source that specific vendors will need to incorporate.
The patch source was made available directly to vendors and the source tree. Without actually saying as much, Google has put the folks making Android phones under the spotlight. Everything Google does means something — you don't steer a boat this big without making some waves. Seeing if there's any response from partners will be interesting (and telling), but we don't really expect any. I'm going to try and get some sit-down time with the right people at Google I/O 2016 and see what, if anything, these changes mean.
In the meantime, start checking for those OTA updates or get to flashing if you have a current Nexus.
If you're on Verizon,here's what you need to know,you're SOL. Posted via the Android Central App
Yep Posted via the Android Central App
I'd love to disagree, but I cannot
I'm on Verizon, and I get the security updates with no problem. Of course, I don't have a Verizon carrier version phone. No bloatware and timely updates. You really should try buying an unlocked phone that works on every carrier, and popping in your Verizon Sim. It's like a whole new world. Unlocked Marshmallow Nexus 6 on Verizon. I'm a happy guy.
Downloading it now for Nexus 6 and 9
If you dont own a nexus except for t mobile your SOL. Luckily for me i have a 6P and a non update existent S7E on verizon Posted via the Android Central App
Oh, I don' t know about that. I have yet to see T-Mobile push out the MOB30D build from April.
Jerry can't wait to hear what you find out at IO this year. I really like that Google points out they provide everything to the manufacturers almost a month before bit yet most don't do anything with it. Posted via the Android Central App
I got the April security update in late April so hopefully it's the same this month S7 proper BTW Posted via the Android Central App
I got the April update OTA on my Nexus 5X towards the end of the month (not sure why it took so long). Not holding out much hope for these updates getting to me any quicker.
Anyone know if the May update fixes what the April update broke in terms of Hangouts crashing on incoming Project fi calls when a SIP phone account is enabled in the phone app? This is why I hate untested updates. This was all working fine for the last many months and now - Crashes ever time.
Any word on issues with this update and the Nexus 6? The April update broke my phone, requiring a factory reset!
The may update messed up the phone dialer and contacts. My exchange contacts got erased from the phone and re entering the exchange info has not corrected the issue. The dialer doesn't show caller ID anymore.
Get the best of Android Central in in your inbox, every day!
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.