The final critical vulnerability in the MediaTek Wi-Fi kernel driver (CVE 2016 0820) could also be abused by a malicious app. While another MediaTek flaw (CVE 2016 0822) could result in arbitrary code execution, it was rated only as high priority because the attacker would first have to compromise the conn_launcher service, "which may not even be possible," Google said.
The patches for Qualcomm and MediaTek components are posted on the Google Developer site and not in the Android Open Source Project repository.
High priority and medium priority bugs also addressed
Google fixed a mitigation bypass vulnerability in the kernel (CVE 2016 0821) that could let attackers bypass security measures in place. The vulnerability is related to a change made to poison pointer values in the Linux kernel back in September. The updates also addressed an information disclosure vulnerability in the kernel (CVE 2016 0823) that could result in malicious apps locally bypassing exploit mitigation technologies like ASLR in a privileged process. The bug was also fixed in the Linux upstream back in March 2015.
The information disclosure vulnerability in the Widevine Trusted Application component could allow code running in the kernel context to access information in TrustZone secure storage, Google said in its bulletin. Like the high-priority Mediaserver flaws, this bug could be used to gain permissions typically not granted to third-party apps. The final high-priority bug is a remote denial-of-service flaw in Bluetooth that could allow an attacker within a certain distance of the target device to block access. The attacker could cause an overflow of identified Bluetooth devices in the component, leading to memory corruption and service stop. The issue could potentially only be fixed by flashing the device, Google said.
The two moderate-priority bugs are in the Telephony component and the Setup Wizard. The information disclosure vulnerability in the telephony component could allow an app to access sensitive data on the device. The elevation of privilege vulnerability in Setup Wizard can be exploited by an attacker who has physical access to the device and can perform a manual device reset.
Patch if possible
None of these issues have been exploited in the wild.
Builds LMY49H or later and Android M with Security Patch Level of "March 01, 2016" or later contain fixes for these issues. The Build information is available through the Settings app on Android devices, under the About phone option. The Security Patch Level is shown in the same location on Android M devices and some Samsung devices running the latest Lollipop versions.
Since phone makers and carriers control when the updates are actually pushed to Android devices, for most users, the best ways to stay up-to-date with the security fixes are to buy Nexus devices, upgrade to newer devices frequently, or install custom Android versions themselves.
Sign up for CIO Asia eNewsletters.