Nexus, Priv, A9, and hopefully many more users will soon (if not already) see a rollout of Security Patch Level January 1, 2016. As you're no doubt aware, this is a continued monthly effort from Google to address any and all software-related security bugs that are found within Android from experts all around the tech world. Each month we get a bulletin from Google listing the security concerns being addressed in the update, as well as who discovered the update and where they are currently employed.
Here's what has been fixed for January:
A big focus for this month has been escalation of privilege vulnerabilities. This refers to any point in the code where something can ask for access to greater privileges than they are supposed to be granted by the operating system. Frequently, escalation-of-privilege vulnerabilities can lead to the ability to execute code that would otherwise not be allowed. In the January patch, Google is addressing escalation vulnerabilities in Bluetooth, Kernel, Setup Wizard, Wifi, Trustzone, Imagination Technologies Driver, and misc-sd driver. A remote code execution vulnerability in the Mediaserver was also addressed in this patch, as well as a denial of service vulnerability in Bouncy Castle. Finally, there was an attack surface reduction for Nexus kernels.
As is almost always the case, Google claims there have been no reports of active customer exploitation of these issues. This has a lot to do with the security features Google has in place to stop apps from entering or remaining active on the Play Store that could exploit these vulnerabilities in the first place. Google's efforts in verifying apps both in the Play Store and on your phone play a significant part in day to day security, but addressing vulnerabilities within Android itself is still incredibly important. After all, not everyone only uses apps from the Play Store.
Like previous monthly patches, Nexus phones and tablets will start rolling the update out immediately, but images also will be available on Google Developers site — builds marked LMY49F or later will have the most recent patch. HTC's 15 business day promise with the A9 means users will see the update within the next two or three weeks, and BlackBerry Priv owners should start seeing the update today. All of Google's partners were provided with this patch on Dec. 7, and the appropriate AOSP repos will be updated within over the next 48 hours. Stay safe!