Technology giant Google released new security patches Monday to address some critical bugs in the Android operating system, including one that could allow an attacker to gain remote execution privileges through a variety of methods such as email, Web browsing, and instant messages.
The patch is being made available to Nexus devices via an over-the-air update. Android users can also update their devices directly from the Android Web site, while OEMs will have the option of directing users to the site or pushing their own over-the-air updates to users.
The security update, part of Google’s normally scheduled monthly security patch releases, addresses a broad array of Android vulnerabilities. The most critical are the six vulnerabilities that relate to the operating system’s Mediaserver.
Remote Code Execution Vulnerabilities
The vulnerability in the Mediaserver component could allow an attacker to cause a memory corruption when media files and data are being processed, allowing the hacker to execute remote code, according to Google.
In addition to the patch for the Mediaserver component, Google also released fixes for critical vulnerabilities in Android’s GIFLIB library that could also allow remote code execution during a Mediaserver process, and an elevation of privilege vulnerability in the MediaTek touchscreen driver.
Other components of the operating system, such as the Qualcomm bootloader, the kernel sound subsystem, the Motorola bootloader, Nvidia video driver, Qualcomm power driver, and kernel trace subsystem, also contain critical exploits that could permanently compromise an Android device. However, those vulnerabilities are not as severe as the Mediaserver bug.
Although the potential for the abuse of these vulnerabilities is high, Google said that it has not received any reports of active exploits for them. Still, the company recommended that all users accept the update on their devices.
Timeline for Security Supports
Google also updated users on the service lifetimes for its Pixel and Nexus devices. The Pixel and Pixel XL phones will cease to receive guaranteed Android version updates after October 2018, and aren't guaranteed to receive security updates after October 2019, according to the company.
Of more immediate concern to users is the announcement that Nexus 6P and Nexus 5X devices will stopping getting Android version updates after September of this year, and will not receive security updates after October 2018. Nexus 6 and Nexus 9 users, meanwhile, have already stopped receiving OS updates, and will no longer receive security updates after October of this year.
For Nexus devices, those timelines certainly seem short. The Nexus 6P was only released in September of 2015. By cutting off OS update support in 2017, Google is essentially making the device obsolete after only two years. Cutting off security updates in 2018, meanwhile, means owning a three-year-old Android phone will likely be unsafe.