Google has released the May 2016 Android Security Bulletin, previously called monthly security patch notes,  and the scope has been expanded to include mention of vulnerabilities that affect phones and tablets that aren’t Nexus branded from Google.
Google has also updated the Android Security severity ratings. These changes were the result of data collected over the last six months on reported security vulnerabilities and aim to align severities more closely with real world impact to users.
The update is still Android 6.0.1, but carries a different version number depending which phone or tablet you are using.
The table below contains a list of security vulnerabilities, the Common Vulnerability and Exposures ID (CVE), their assessed severity and whether or not Nexus devices are affected. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.
[table style=”table-striped”]
| Issue | CVE | Severity | Affects Nexus? |
|---|---|---|---|
| Remote Code Execution Vulnerability in Mediaserver | CVE-2016-2428 CVE-2016-2429 |
Critical | Yes |
| Elevation of Privilege Vulnerability in Debuggerd | CVE-2016-2430 | Critical | Yes |
| Elevation of Privilege Vulnerability in Qualcomm TrustZone | CVE-2016-2431 CVE-2016-2432 |
Critical | Yes |
| Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver | CVE-2015-0569 CVE-2015-0570 |
Critical | Yes |
| Elevation of Privilege Vulnerability in NVIDIA Video Driver | CVE-2016-2434 CVE-2016-2435 CVE-2016-2436 CVE-2016-2437 |
Critical | Yes |
| Elevation of Privilege Vulnerability in Kernel | CVE-2015-1805 | Critical | Yes |
| Remote Code Execution Vulnerability in Kernel | CVE-2016-2438 | High | Yes |
| Information Disclosure Vulnerability in Qualcomm Tethering Controller | CVE-2016-2060 | High | No |
| Remote Code Execution in Bluetooth | CVE-2016-2439 | High | Yes |
| Elevation of Privilege in Binder | CVE-2016-2440 | High | Yes |
| Elevation of Privilege Vulnerability in Qualcomm Buspm Driver | CVE-2016-2441 CVE-2016-2442 |
High | Yes |
| Elevation of Privilege Vulnerability in Qualcomm MDP Driver | CVE-2016-2443 | High | Yes |
| Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver | CVE-2015-0571 | High | Yes |
| Elevation of Privilege Vulnerability in NVIDIA Video Driver | CVE-2016-2444 CVE-2016-2445 CVE-2016-2446 |
High | Yes |
| Elevation of Privilege in Wi-Fi | CVE-2016-2447 | High | Yes |
| Elevation of Privilege Vulnerability in Mediaserver | CVE-2016-2448 CVE-2016-2449 CVE-2016-2450 CVE-2016-2451 CVE-2016-2452 |
High | Yes |
| Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver | CVE-2016-2453 | High | Yes |
| Remote Denial of Service Vulnerability in Qualcomm Hardware Codec | CVE-2016-2454 | High | Yes |
| Elevation of Privilege in Conscrypt | CVE-2016-2461 CVE-2016-2462 |
Moderate | Yes |
| Elevation of Privilege Vulnerability in OpenSSL & BoringSSL | CVE-2016-0705 | Moderate | Yes |
| Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver | CVE-2016-2456 | Moderate | Yes |
| Elevation of Privilege in Wi-Fi | CVE-2016-2457 | Moderate | Yes |
| Information Disclosure Vulnerability in AOSP Mail | CVE-2016-2458 | Moderate | Yes |
| Information Disclosure Vulnerability in Mediaserver | CVE-2016-2459 CVE-2016-2460 |
Moderate | Yes |
| Denial of Service Vulnerability in Kernel | CVE-2016-0774 | Low | Yes |
[/table]
Android and Google Service Mitigations
According to Google,
“The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.”
In total, 25 security vulnerabilities have been addressed, ranging from critical to low in terms of their assessed severity. 24 of these fixes affect Nexus or Android One branded devices.
This is a summary of the mitigations provided by the Android security platform and service protections such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.
- Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
- The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services, and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting applicationâ€â€no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.
- As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.
Partners were notified about the issues described in the bulletin on April 04, 2016 or earlier. This explains why the recent BlackBerry Priv Marshmallow release (and beta) already contained the May security update.
Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours. We will revise this bulletin with the AOSP links when they are available.
Nexus Images
The updates for the Nexus line  both over the air or as a new factory image  haven’t changed. OTA updates have begun their staggered roll out, and new factory images are now available for manual downloading and installation.
Full details of the May 2016 Android Security Bulletin is available here.
