Google, as expected, has released its monthly security update for its Nexus range of the devices. Apart from the monthly security update, Google has also released the latest Nexus factory images on the developer site.
The company says that the source code patches for the new issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours. Google notes that partner OEMs were notified about the issues described in the May bulletin on April 4. One of the most severe of these issues was a critical security vulnerability that could enable remote code execution on an affected device through multiple methods (including email, web browsing, and MMS when processing media files).
According to Google, the latest build MTC19T is available for the Nexus 6P and Nexus 5X; the MOB30I build is available for the Nexus 6, MOB30G Nexus Player, Nexus 9, Nexus 9 LTE; MOB30H for the Nexus 5; MOB30J for the Nexus 7 (2013) and Nexus 7 3G, and MXC89F for the Pixel C. Users can manually download and flash the zip update file for the Nexus devices from Google’s Nexus Factory Images page.
One of the most notable changes announced with May security bulletin was that Google renamed the bulletin (and all following in the series) to the Android Security Bulletin. Previously it was dubbed Nexus Security bulletin. Google says, “These bulletins encompass a broader range of vulnerabilities that may affect Android devices, even if they do not affect Nexus devices.”
Google also updated the Android Security severity ratings which are based on the result of data collected over the last six months on reported security vulnerabilities. The bulletin says that there were no reports of active customer exploitation or abuse of these newly reported issues.
The latest May update patches six vulnerabilities that have been flagged as “critical” by Google, and 12 vulnerabilities that fall on the spectrum of “high” severity. The company has also listed six “moderate” security glitches that have also been resolved.
The critical security vulnerabilities fixed in the update by Google include remote code execution vulnerability in mediaserver, which if left untreated could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.
Other vulnerabilities such as elevation of privilege vulnerability in debuggerd, elevation of privilege vulnerability in Qualcomm TrustZone, and elevation of privilege vulnerability in Qualcomm Wi-Fi driver, and elevation of privilege vulnerability in NVIDIA video driver can lead to the possibility of a local permanent device compromise, which may require re-flashing the operating system to repair the device.