GOOGLE HAS RELEASED an update for Nexus devices, delivering a soothing over-the-air security hug.
The Nexus Security Bulletin April 2016 fixes several critical vulnerabilities, including one that could allow remote code execution.
"We have released a security update to Nexus devices through an over-the-air update as part of our Android Security Bulletin Monthly Release process. The Nexus firmware images have also been released to the Google Developer site. Security Patch Levels of 2 April or later address these issues," said the bulletin.
"Partners were notified about the issues described in the bulletin on 16 March or earlier. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours. This bulletin will be revised with the AOSP links when they are available."
The most severe of these problems is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing and MMS when processing media files, Google said.
The update contains eight fixes rated 'critical', 13 rated 'high' and eight rated 'moderate', and relate in at least one case to the leaking of information from something called BouncyCastle. Fans of greasepaint should know that it is CVE-2016-0842 that deals with the RCE vulnerability in libstagefright.
"During media file and data processing of a specially crafted file, vulnerabilities in libstagefright could allow an attacker to cause memory corruption and remote code execution as the mediaserver process," said Google.
"This issue is rated as a critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams, as well as access to privileges that third-party apps could not normally access.
"Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible."
The Android Security team said that it is actively monitoring for abuse with Verify Apps and SafetyNet, which will warn the user about potentially harmful applications about to be installed.
Google recommends that the best Android is the most recent. µ
To hear more about security challenges, the threats they pose and how to combat them, sign up for The INQUIRER sister site Computing's Enterprise Security and Risk Management conference, taking place on 24 November.
A surprisingly busy week in a quiet month
Measures just 15.75mm at its thickest point
Firm expects GPU sales to start drying up