Google has released its Android Security Bulletin for February after notifying its partners of issues included in the security update at the beginning of January. Supported devices should already start to see an over-the-air (OTA) update rolling out to Nexus and Pixel phones. The device firmware images have also been released to the Google Developer site.
The wave of updates contains previous fixes as well as patches for a large number of other vulnerabilities. Luckily none of them seem to be currently exploited in the wild, although Google did note that:
"The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."
So as always, it's a good idea to update straight away.
2017-02-01 security patch level—Vulnerability summary
Security patch levels of 2017-02-01 or later must address the following issues.
| Issue | CVE | Severity | Affects Google devices? |
|---|---|---|---|
| Remote code execution vulnerability in Surfaceflinger | CVE-2017-0405 | Critical | Yes |
| Remote code execution vulnerability in Mediaserver | CVE-2017-0406, CVE-2017-0407 | Critical | Yes |
| Remote code execution vulnerability in libgdx | CVE-2017-0408 | High | Yes |
| Remote code execution vulnerability in libstagefright | CVE-2017-0409 | High | Yes |
| Elevation of privilege vulnerability in Java.Net | CVE-2016-5552 | High | Yes |
| Elevation of privilege vulnerability in Framework APIs | CVE-2017-0410, CVE-2017-0411, CVE-2017-0412 | High | Yes |
| Elevation of privilege vulnerability in Mediaserver | CVE-2017-0415 | High | Yes |
| Elevation of privilege vulnerability in Audioserver | CVE-2017-0416, CVE-2017-0417, CVE-2017-0418, CVE-2017-0419 | High | Yes |
| Information disclosure vulnerability in AOSP Mail | CVE-2017-0420 | High | Yes |
| Information disclosure vulnerability in AOSP Messaging | CVE-2017-0413, CVE-2017-0414 | High | Yes |
| Information disclosure vulnerability in Framework APIs | CVE-2017-0421 | High | Yes |
| Denial of service vulnerability in Bionic DNS | CVE-2017-0422 | High | Yes |
| Elevation of privilege vulnerability in Bluetooth | CVE-2017-0423 | Moderate | Yes |
| Information disclosure vulnerability in AOSP Messaging | CVE-2017-0424 | Moderate | Yes |
| Information disclosure vulnerability in Audioserver | CVE-2017-0425 | Moderate | Yes |
| Information disclosure vulnerability in Filesystem | CVE-2017-0426 | Moderate | Yes |
2017-02-05 security patch level—Vulnerability summary
Security patch levels of 2017-02-05 or later must address all of the 2017-02-01 issues, as well as the following issues.
| Issue | CVE | Severity | Affects Google devices? |
|---|---|---|---|
| Remote code execution vulnerability in Qualcomm crypto driver | CVE-2016-8418 | Critical | No* |
| Elevation of privilege vulnerability in kernel file system | CVE-2017-0427 | Critical | Yes |
| Elevation of privilege vulnerability in NVIDIA GPU driver | CVE-2017-0428, CVE-2017-0429 | Critical | Yes |
| Elevation of privilege vulnerability in kernel networking subsystem | CVE-2014-9914 | Critical | Yes |
| Elevation of privilege vulnerability in Broadcom Wi-Fi driver | CVE-2017-0430 | Critical | Yes |
| Vulnerabilities in Qualcomm components | CVE-2017-0431 | Critical | No* |
| Elevation of privilege vulnerability in MediaTek driver | CVE-2017-0432 | High | No* |
| Elevation of privilege vulnerability in Synaptics touchscreen driver | CVE-2017-0433, CVE-2017-0434 | High | Yes |
| Elevation of privilege vulnerability in Qualcomm Secure Execution Environment Communicator driver | CVE-2016-8480 | High | Yes |
| Elevation of privilege vulnerability in Qualcomm sound driver | CVE-2016-8481, CVE-2017-0435, CVE-2017-0436 | High | Yes |
| Elevation of privilege vulnerability in Qualcomm Wi-Fi driver | CVE-2017-0437, CVE-2017-0438, CVE-2017-0439, CVE-2016-8419, CVE-2016-8420, CVE-2016-8421, CVE-2017-0440, CVE-2017-0441, CVE-2017-0442, CVE-2017-0443, CVE-2016-8476 | High | Yes |
| Elevation of privilege vulnerability in Realtek sound driver | CVE-2017-0444 | High | Yes |
| Elevation of privilege vulnerability in HTC touchscreen driver | CVE-2017-0445, CVE-2017-0446, CVE-2017-0447 | High | Yes |
| Information disclosure vulnerability in NVIDIA video driver | CVE-2017-0448 | High | Yes |
| Elevation of privilege vulnerability in Broadcom Wi-Fi driver | CVE-2017-0449 | Moderate | Yes |
| Elevation of privilege vulnerability in Audioserver | CVE-2017-0450 | Moderate | Yes |
| Elevation of privilege vulnerability in kernel file system | CVE-2016-10044 | Moderate | Yes |
| Information disclosure vulnerability in Qualcomm Secure Execution Environment Communicator | CVE-2016-8414 | Moderate | Yes |
| Information disclosure vulnerability in Qualcomm sound driver | CVE-2017-0451 | Moderate | Yes |
*Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.
The security patches have also been made available as part of the Android Open Source Project so that third party manufacturers can publish their own system updates. While Nexus and Google Pixel users can expect the OTA to start arriving on their phones right now, everyone else will have to wait for their respective manufacturer to test and roll out the patch level.
You can check if there's an update by going into Settings > About phone > Check for update.
Source: Android Security Blog
3 Comments - Add comment