Google's monthly update system continues to offer important fixes to vulnerabilities many folks aren't aware ever existed in Android, and the March list includes 19 issues all over the OS. These updates are rated either Moderate, High, or Critical in their Severity, and along with the update released to address these issues is a detailed explanation of what is being fixed. As is often the case with these monthly updates, contributions come from all over the world as well as Google's internal security teams to ensure Android is always getting better.
Here's what you need to know about the fixes being made available in Security Level March 01, 2016, as well as when your phone or tablet will get the update.
The March update for Android addresses six Critical issues, eight High issues, and two Moderate issues. These include elevation of privilege vulnerabilities, remote code execution vulnerabilities, remote denial of service vulnerabilties, and mitigation bypass vulnerabilities all over the OS. The most significant of these issues, according to Google, was a remote code execution vulnerabilities found in Mediaserver and libvpx. These issues could have allowed a third party to use MMS media or browser playback media to execute code on your phone or tablet by means of a specially crafted file that behaved maliciously instead of just playing media. Google has released fixes all the way back to Android 4.4.4 to address these issues.
As is often the case with these updates, Google claims no evidence of active attacks using these vulnerabilities exists.
Elevation of privilege vulnerabilities in MediaTek drivers and Qualcomm's performance components were also addressed in this update, as well as in Mediaserver and Keyring. If exploited, these vulnerabilities could have made it possible to access more than the app had been given permission to access. The same goes for information disclosure vulnerabilities in telephony, libstagefright, WideVine, and the Android Kernel, only instead of access to more of the system functions a malicious app could have had access to more of your information than you'd given permission to access.
As is often the case with these updates, Google claims no evidence of active attacks using these vulnerabilities exists. Images for Nexus phones and tablets containing this March update are now available on the Google Developers site, with Over-The-Air updates expected within the week. Google provided these updates to all of their Android partners at least 30 days ago, and the companies that have committed to providing security updates as quickly as possible — like BlackBerry which is already shipping the March update on the Priv — will be detailing their update plans as soon as they can.
