Google releases May 2016 Android Security Bulletin and Nexus Images

Google has released the May 2016 Android Security Bulletin, previously called monthly security patch notes,  and the scope has been expanded to include mention of vulnerabilities that affect phones and tablets that aren’t Nexus branded from Google.

Google has also updated the Android Security severity ratings. These changes were the result of data collected over the last six months on reported security vulnerabilities and aim to align severities more closely with real world impact to users.

The update is still Android 6.0.1, but carries a different version number depending which phone or tablet you are using.

The table below contains a list of security vulnerabilities, the Common Vulnerability and Exposures ID (CVE), their assessed severity and whether or not Nexus devices are affected. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.
[table style=”table-striped”]

uk iptv
Issue CVE Severity Affects Nexus?
Remote Code Execution Vulnerability in Mediaserver CVE-2016-2428
CVE-2016-2429
Critical Yes
Elevation of Privilege Vulnerability in Debuggerd CVE-2016-2430 Critical Yes
Elevation of Privilege Vulnerability in Qualcomm TrustZone CVE-2016-2431
CVE-2016-2432
Critical Yes
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver CVE-2015-0569
CVE-2015-0570
Critical Yes
Elevation of Privilege Vulnerability in NVIDIA Video Driver CVE-2016-2434
CVE-2016-2435
CVE-2016-2436
CVE-2016-2437
Critical Yes
Elevation of Privilege Vulnerability in Kernel CVE-2015-1805 Critical Yes
Remote Code Execution Vulnerability in Kernel CVE-2016-2438 High Yes
Information Disclosure Vulnerability in Qualcomm Tethering Controller CVE-2016-2060 High No
Remote Code Execution in Bluetooth CVE-2016-2439 High Yes
Elevation of Privilege in Binder CVE-2016-2440 High Yes
Elevation of Privilege Vulnerability in Qualcomm Buspm Driver CVE-2016-2441
CVE-2016-2442
High Yes
Elevation of Privilege Vulnerability in Qualcomm MDP Driver CVE-2016-2443 High Yes
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver CVE-2015-0571 High Yes
Elevation of Privilege Vulnerability in NVIDIA Video Driver CVE-2016-2444
CVE-2016-2445
CVE-2016-2446
High Yes
Elevation of Privilege in Wi-Fi CVE-2016-2447 High Yes
Elevation of Privilege Vulnerability in Mediaserver CVE-2016-2448
CVE-2016-2449
CVE-2016-2450
CVE-2016-2451
CVE-2016-2452
High Yes
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver CVE-2016-2453 High Yes
Remote Denial of Service Vulnerability in Qualcomm Hardware Codec CVE-2016-2454 High Yes
Elevation of Privilege in Conscrypt CVE-2016-2461
CVE-2016-2462
Moderate Yes
Elevation of Privilege Vulnerability in OpenSSL & BoringSSL CVE-2016-0705 Moderate Yes
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver CVE-2016-2456 Moderate Yes
Elevation of Privilege in Wi-Fi CVE-2016-2457 Moderate Yes
Information Disclosure Vulnerability in AOSP Mail CVE-2016-2458 Moderate Yes
Information Disclosure Vulnerability in Mediaserver CVE-2016-2459
CVE-2016-2460
Moderate Yes
Denial of Service Vulnerability in Kernel CVE-2016-0774 Low Yes

[/table]

Android and Google Service Mitigations

According to Google,

“The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.”

In total, 25 security vulnerabilities have been addressed, ranging from critical to low in terms of their assessed severity. 24 of these fixes affect Nexus or Android One branded devices.

This is a summary of the mitigations provided by the Android security platform and service protections such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services, and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.
  • As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.

Partners were notified about the issues described in the bulletin on April 04, 2016 or earlier. This explains why the recent BlackBerry Priv Marshmallow release (and beta) already contained the May security update.

Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

Nexus Images

The updates for the Nexus line — both over the air or as a new factory image — haven’t changed. OTA updates have begun their staggered roll out, and new factory images are now available for manual downloading and installation.

Full details of the May 2016 Android Security Bulletin is available here.