Google's January 2016 Security Bulletin is live — here's what you need to know

Nexus, Priv, A9, and hopefully many more users will soon (if not already) see a rollout of Security Patch Level January 1, 2016. As you're no doubt aware, this is a continued monthly effort from Google to address any and all software-related security bugs that are found within Android from experts all around the tech world. Each month we get a bulletin from Google listing the security concerns being addressed in the update, as well as who discovered the update and where they are currently employed.

Here's what has been fixed for January:

A big focus for this month has been escalation of privilege vulnerabilities. This refers to any point in the code where something can ask for access to greater privileges than they are supposed to be granted by the operating system. Frequently, escalation-of-privilege vulnerabilities can lead to the ability to execute code that would otherwise not be allowed. In the January patch, Google is addressing escalation vulnerabilities in Bluetooth, Kernel, Setup Wizard, Wifi, Trustzone, Imagination Technologies Driver, and misc-sd driver. A remote code execution vulnerability in the Mediaserver was also addressed in this patch, as well as a denial of service vulnerability in Bouncy Castle. Finally, there was an attack surface reduction for Nexus kernels.

As is almost always the case, Google claims there have been no reports of active customer exploitation of these issues. This has a lot to do with the security features Google has in place to stop apps from entering or remaining active on the Play Store that could exploit these vulnerabilities in the first place. Google's efforts in verifying apps both in the Play Store and on your phone play a significant part in day to day security, but addressing vulnerabilities within Android itself is still incredibly important. After all, not everyone only uses apps from the Play Store.

Like previous monthly patches, Nexus phones and tablets will start rolling the update out immediately, but images also will be available on Google Developers site — builds marked LMY49F or later will have the most recent patch. HTC's 15 business day promise with the A9 means users will see the update within the next two or three weeks, and BlackBerry Priv owners should start seeing the update today. All of Google's partners were provided with this patch on Dec. 7, and the appropriate AOSP repos will be updated within over the next 48 hours. Stay safe!

Russell is a Contributing Editor at Android Central. He's a former server admin who has been using Android since the HTC G1, and quite literally wrote the book on Android tablets. You can usually find him chasing the next tech trend, much to the pain of his wallet. Find him on Facebook and Twitter

13 Comments
  • Good to see. Posted via the Android Central App
  • 1. Check phone for patch level
    2. See 11/1/2015 or none listed
    3. Place order for Nexus 6p In all seriousness I think about following these steps everytime a new monthly patch is released, knowing my phone will probably never get the update. Posted via the Android Central App
  • Nexus is the Droid you're looking for Posted via Nexus 5
  • Nexus is what you're droid'ing for
  • I have a Nexus 6P and I like it. I stopped upgrading my iPhone. Posted via the Android Central App
  • "A remote code execution vulnerability in the Mediaserver was also addressed in this patch..."
    The Android Media Server is the gift that keeps on giving.
  • +1 lol LG G3.. waiting for Marshmallow...
  • Please address the damn syncing issues with Gmail, Inbox, and so on. Posted via the Android Central App
  • Where is the OTA update for unlocked Nexus 6 phones that are using AT&T towers? Mine, along with a lot of others, is still stuck on 5.1.1 (LMY48Z). If you buy a new Nexus 6 and don't put a SIM in right away it will automatically OTA update to 6.0.1. But if you put in an AT&T sim the updates will stop at 5.1.1 and no one can explain why. What is Google's position/explanation???? Sure I can flash to Marshmallow but I don't want to and shouldn't have to. The reason I buy Nexus devices is to get the latest android updates automatically and fast. The Nexus 6 might be my last Nexus device though with the lack of service/support from Google.
  • I'm going to have to backup and flash in the next week or so. It's a real shame that Google can't update a Nexus phone. The sad part is that going forward, I will have to only manually apply OTAs that I can verify do not leave me on some carrier branch with no future. I love the Nexus software experience, but this negates a whole lot of the value. Google is 100% at fault here for allowing such carrier interference and not correcting it by now with legitimate OTA to Marshmallow.
  • Version 6.0.1 ( marshmallow) updated automatically via android central. I received my nexus 6p and immediately activated it with AT&T. Posted via the Android Central App
  • Those of us that where unfortunate enough of getting caught up with the Nexus 6p's Telstra (Australia) problems are still stuck on November 2015 security level and android 6.0.0. The only way out is to break the efuse and unlock the boot loader (erasing everything in process) and flash the new factory images.. So much for speedy and current updates by Google/Huawei......
  • A telecom refusing to allow an update to be pushed is the telecoms problem not google or huawei. Flashing an update image does not blow the efuse. Their are 2 levels of unlock. One blows it, one doesn't. The level you need to unlock and flash the update only allows you to do that and does not blow the fuse. You can check the efuse status while flashing the image. I am impatient and dont like to wait for the ota and my fuse is still intact.