Huawei has announced that four of their flagship devices, being the Huawei P9, Huawei P9 Plus, Huawei Mate 8, and Huawei Mate 9, are set to get security bulletins in the near future that will address known security vulnerabilities reported to or found by Huawei recently. Huawei did not announce when these updates will come, only saying that they will come over the air to all users of the affected devices in an update sent either by Huawei directly or through mobile carriers. The vulnerabilities in question are all fairly serious, such as privilege escalation attacks or system crashing bugs.
For the Huawei P9 Plus, a malicious application has to be downloaded to the phone in question. This application cannot be downloaded by force, which means an attacker has to either trick a user into downloading it or gain physical access to the device to download it themselves. This vulnerability in question simply crashes the phone; it poses little danger of data being compromised, but can be annoying at best and result in data loss or bricking at worst. Both the Huawei P9 and the Huawei Mate 9 are vulnerable to an exploit known as CVE-2017-2703. This one requires physical access to the device, and offers root access through the Phone Finder function. Finally, CVE-2017-2698 affects both the Huawei P9 and the Huawei Mate 8, and requires a user with root access to download a malicious application. From there, the attacker can crash the phone or gain control via root privileges, making it one of the more dangerous exploits on this list.
Huawei is already scheduling updates for all four phones that will cover all of the exploits listed above. As mentioned, Huawei has not laid out a timeline for when these updates will hit. Huawei’s security tracker lists no temporary fixes for these exploits, so users are advised to use caution to protect their devices until the patches hit; allow only trusted people and hardware around your phone, and do not download or install any apps that you’re not entirely certain have a trustworthy origin and are what they claim to be. Sticking to the Play Store for app downloads is normally enough to fulfill the latter recommendation.