Five "critical," four "high" severity and one merely "moderate" bug make up the menu of Android security patches, which are now available for Nexus devices and will flow through to myriad other devices when it rains up instead of down.
The critical bugs relate to Broadcom and Qualcomm WiFi drivers, Android's Mediaserver, Qualcomm's performance module, and the Android debugger daemon.
Here's the advisory. One by one, the critical bugs are:
- CVE-2016-0801 and CVE-2016-0802, the Broadcom WiFi driver vulns, that allow remote code execution in the context of the kernel, so long as attacker and victim are associated with the same network.
- CVE-2016-0803 and CVE-2016-0804 in Mediaserver, not the same bugs as were fixed in the January release, but just as bad. Once again, crafted messages can crash the server, leaving the target open to remote code execution.
- The Qualcomm bugs, CVE-2016-0805 for the performance module and CVE-2016-0806 for the WiFi driver bug, are local vulns that get the critical rating because if exploited, the user might have to re-flash the device.
- The same applies to the escalation of privilege bug in the
buggeredDebuggerd daemon: exploitation could leave you with a brick that has to be re-flashed.
There's a Minikin library bug (CVE-2016-0808) that could send the user into perpetual reboot hell; privilege escalation bugs in the Android WiFi component (CVE-2016-0809) and (another) in Mediaserver (CVE-2016-0810).
The libmediaplayerservice cops a patch for an information disclosure vulnerability, CVE-2016-0811. This bug could "permit a bypass of security measures," the Android security team says – without much more detail – but the result could be an attacker getting "Signature or signatureOrSystem permissions" that are usually blocked from third-party apps.
Finally, the Setup Wizard has a privilege escalation vulnerability (CVE-2016-0812 and CVE-2016-0813) letting an attacker reset a target device, if they get their hands on it.
"Builds LMY49G or later and Android M with Security Patch Level of February 1, 2016 or later address these issues," the advisory says.
Partners were told about the vulnerabilities on January 4, and "source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours."