February security patches for Android out for supported devices, here's the changelog

Google has released its Android Security Bulletin for February after notifying its partners of issues included in the security update at the beginning of January. Supported devices should already start to see an over-the-air (OTA) update rolling out to Nexus and Pixel phones. The device firmware images have also been released to the Google Developer site.

The wave of updates contains previous fixes as well as patches for a large number of other vulnerabilities. Luckily none of them seem to be currently exploited in the wild, although Google did note that:

"The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."

So as always, it's a good idea to update straight away.

2017-02-01 security patch level—Vulnerability summary

Security patch levels of 2017-02-01 or later must address the following issues.

Issue CVE Severity Affects Google devices?
Remote code execution vulnerability in Surfaceflinger CVE-2017-0405 Critical Yes
Remote code execution vulnerability in Mediaserver CVE-2017-0406, CVE-2017-0407 Critical Yes
Remote code execution vulnerability in libgdx CVE-2017-0408 High Yes
Remote code execution vulnerability in libstagefright CVE-2017-0409 High Yes
Elevation of privilege vulnerability in Java.Net CVE-2016-5552 High Yes
Elevation of privilege vulnerability in Framework APIs CVE-2017-0410, CVE-2017-0411, CVE-2017-0412 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2017-0415 High Yes
Elevation of privilege vulnerability in Audioserver CVE-2017-0416, CVE-2017-0417, CVE-2017-0418, CVE-2017-0419 High Yes
Information disclosure vulnerability in AOSP Mail CVE-2017-0420 High Yes
Information disclosure vulnerability in AOSP Messaging CVE-2017-0413, CVE-2017-0414 High Yes
Information disclosure vulnerability in Framework APIs CVE-2017-0421 High Yes
Denial of service vulnerability in Bionic DNS CVE-2017-0422 High Yes
Elevation of privilege vulnerability in Bluetooth CVE-2017-0423 Moderate Yes
Information disclosure vulnerability in AOSP Messaging CVE-2017-0424 Moderate Yes
Information disclosure vulnerability in Audioserver CVE-2017-0425 Moderate Yes
Information disclosure vulnerability in Filesystem CVE-2017-0426 Moderate Yes

2017-02-05 security patch level—Vulnerability summary

Security patch levels of 2017-02-05 or later must address all of the 2017-02-01 issues, as well as the following issues.

Issue CVE Severity Affects Google devices?
Remote code execution vulnerability in Qualcomm crypto driver CVE-2016-8418 Critical No*
Elevation of privilege vulnerability in kernel file system CVE-2017-0427 Critical Yes
Elevation of privilege vulnerability in NVIDIA GPU driver CVE-2017-0428, CVE-2017-0429 Critical Yes
Elevation of privilege vulnerability in kernel networking subsystem CVE-2014-9914 Critical Yes
Elevation of privilege vulnerability in Broadcom Wi-Fi driver CVE-2017-0430 Critical Yes
Vulnerabilities in Qualcomm components CVE-2017-0431 Critical No*
Elevation of privilege vulnerability in MediaTek driver CVE-2017-0432 High No*
Elevation of privilege vulnerability in Synaptics touchscreen driver CVE-2017-0433, CVE-2017-0434 High Yes
Elevation of privilege vulnerability in Qualcomm Secure Execution Environment Communicator driver CVE-2016-8480 High Yes
Elevation of privilege vulnerability in Qualcomm sound driver CVE-2016-8481, CVE-2017-0435, CVE-2017-0436 High Yes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver CVE-2017-0437, CVE-2017-0438, CVE-2017-0439, CVE-2016-8419, CVE-2016-8420, CVE-2016-8421, CVE-2017-0440, CVE-2017-0441, CVE-2017-0442, CVE-2017-0443, CVE-2016-8476 High Yes
Elevation of privilege vulnerability in Realtek sound driver CVE-2017-0444 High Yes
Elevation of privilege vulnerability in HTC touchscreen driver CVE-2017-0445, CVE-2017-0446, CVE-2017-0447 High Yes
Information disclosure vulnerability in NVIDIA video driver CVE-2017-0448 High Yes
Elevation of privilege vulnerability in Broadcom Wi-Fi driver CVE-2017-0449 Moderate Yes
Elevation of privilege vulnerability in Audioserver CVE-2017-0450 Moderate Yes
Elevation of privilege vulnerability in kernel file system CVE-2016-10044 Moderate Yes
Information disclosure vulnerability in Qualcomm Secure Execution Environment Communicator CVE-2016-8414 Moderate Yes
Information disclosure vulnerability in Qualcomm sound driver CVE-2017-0451 Moderate Yes

*Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.

The security patches have also been made available as part of the Android Open Source Project so that third party manufacturers can publish their own system updates. While Nexus and Google Pixel users can expect the OTA to start arriving on their phones right now, everyone else will have to wait for their respective manufacturer to test and roll out the patch level.

You can check if there's an update by going into Settings > About phone > Check for update.

Source: Android Security Blog

Report a problem with article
Previous Story

Unlocked Moto Z gets discounted to $449.99 in the US

Next Story

Microsoft introduces Team flows into preview

3 Comments - Add comment

Advertisement