Earlier today Google released the latest monthly security patch for Android, the February 2017 security update. Following the availability of the factory images and OTA’s, the security bulletin detailing what can be expected from this update has also now been posted. As this is a monthly security-focused update, the changes are all security-based and include a small number of ‘Critical’ fixes, as well as those that are deemed ‘High’ and ‘Moderate’ in terms of their severity. The bulletin announcement from Google does detail that the ‘most severe’ of the listed issues is a vulnerability which could permit a remote code execution when processing media files. According to the details, devices affected by this vulnerability would be particularly vulnerable via email, web browsing, and MMS.
As per usual, the update includes two different patches and for this month, they are 2017-02-01 and 2017-02-05. The 2017-02-01 patch includes two Critical fixes which are designed to protect against vulnerabilities that could lead to remote code executions in Surfaceflinger and Media Server. In contrast, the 2017-02-05 patch includes quite a few more critical fixes with two specific to Qualcomm - a fix for a remote code execution vulnerability in Qualcomm’s cryptography driver and a fix for other unspecified vulnerabilities in Qualcomm components. In addition, this patch includes fixes for various vulnerabilities which could lead to elevated privileges by way of the kernel file system, the NVIDIA GPU driver, the kernel networking subsystem and the Broadcom Wifi driver.
Both patches do contain quite a few high priority fixes and these all mainly focus on either vulnerabilities which could lead to remote code execution or an elevation of privileges, with a number of them specifically-aimed at MediaTek and Qualcomm components. Those interested in checking out the full breakdown of all of the included fixes and vulnerabilities in the February security update can do so through the link below. As per usual, the factory images and OTAs are only currently available to Nexus and Pixel device owners. Which means that owners of a device that is not a Nexus or a Pixel will have to wait for their manufacturer and/or carrier to include today’s announced fixes within one of their future updates.