Google has published its latest monthly Android security bulletin, and released new factory and OTA images for supported Nexus and Pixel devices. The March 2017 update comes almost exactly one month after the February security patches were detailed.
Google says that all of the vulnerabilities disclosed in its latest bulletin were revealed to its partners on February 6, 2017 or earlier. "Security patch levels of March 05, 2017 or later address all of these issues," it added.
There are two separate security patch level strings in the new bulletin "to provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices", Google explained. However, it also pointed out that "supported Google devices will receive a single OTA update with the March 05, 2017 security patch level".
That OTA update has begun to roll out today to Google devices; the latest OTA binary image files for supported Nexus and Pixel devices can be found here on Google"s site, and the new factory images are available here.
Details of the vulnerabilities and issues addressed in the latest security update follow below:
2017-03-01 security patch level—Vulnerability summary
Security patch levels of 2017-03-01 or later must address the following issues.
Issue | Common Vulnerability & Exposures ID | Severity | Affects Google devices? |
Remote code execution vulnerability in OpenSSL & BoringSSL | CVE-2016-2182 | Critical | Yes |
Remote code execution vulnerability in Mediaserver | CVE-2017-0466 | Critical | Yes |
Elevation of privilege vulnerability in recovery verifier | CVE-2017-0475 | Critical | Yes |
Remote code execution vulnerability in AOSP Messaging | CVE-2017-0476 | High | Yes |
Remote code execution vulnerability in libgdx | CVE-2017-0477 | High | Yes |
Remote code execution vulnerability in Framesequence library | CVE-2017-0478 | High | Yes |
Elevation of privilege vulnerability in Audioserver | CVE-2017-0479 | High | Yes |
Elevation of privilege vulnerability in NFC | CVE-2017-0481 | High | Yes |
Denial of service vulnerability in Mediaserver | CVE-2017-0482 | High | Yes |
Update: Denial of service vulnerability in Mediaserver | CVE-2017-0390 | High | Yes |
Update: Denial of service vulnerability in Mediaserver | CVE-2017-0392 | High | Yes |
Elevation of privilege vulnerability in Location Manager | CVE-2017-0489 | Moderate | Yes |
Elevation of privilege vulnerability in Wi-Fi | CVE-2017-0490 | Moderate | Yes |
Elevation of privilege vulnerability in Package Manager | CVE-2017-0491 | Moderate | Yes |
Elevation of privilege vulnerability in System UI | CVE-2017-0492 | Moderate | Yes |
Information disclosure vulnerability in AOSP Messaging | CVE-2017-0494 | Moderate | Yes |
Information disclosure vulnerability in Mediaserver | CVE-2017-0495 | Moderate | Yes |
Denial of service vulnerability in Setup Wizard | CVE-2017-0496 | Moderate | Yes |
Denial of service vulnerability in Mediaserver | CVE-2017-0497 | Moderate | Yes |
Denial of service vulnerability in Setup Wizard | CVE-2017-0498 | Moderate | No* |
Denial of service vulnerability in Audioserver | CVE-2017-0499 | Low | Yes |
* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.
2017-03-05 security patch level—Vulnerability summary
Security patch levels of 2017-03-05 or later must address all of the 2017-03-01 issues, as well as the following issues.
Issue | Common Vulnerability & Exposures ID | Severity | Affects devices? |
Elevation of privilege vulnerability in MediaTek components | CVE-2017-0500 | Critical | Yes |
Elevation of privilege vulnerability in NVIDIA GPU driver | CVE-2017-0337 | Critical | Yes |
Elevation of privilege vulnerability in kernel ION subsystem | CVE-2017-0507 | Critical | Yes |
Elevation of privilege vulnerability in Broadcom Wi-Fi driver | CVE-2017-0509 | Critical | No* |
Elevation of privilege vulnerability in kernel FIQ debugger | CVE-2017-0510 | Critical | Yes |
Elevation of privilege vulnerability in Qualcomm GPU driver | CVE-2016-8479 | Critical | Yes |
Elevation of privilege vulnerability in kernel networking subsystem | CVE-2016-9806 | Critical | Yes |
Vulnerabilities in Qualcomm components | CVE-2016-8484 | Critical | No* |
Elevation of privilege vulnerability in kernel networking subsystem | CVE-2016-8655 | High | Yes |
Elevation of privilege vulnerability in Qualcomm input hardware driver | CVE-2017-0516 | High | Yes |
Elevation of privilege vulnerability in MediaTek Hardware Sensor Driver | CVE-2017-0517 | High | No* |
Elevation of privilege vulnerability in Qualcomm ADSPRPC driver | CVE-2017-0457 | High | Yes |
Elevation of privilege vulnerability in Qualcomm fingerprint sensor driver | CVE-2017-0518 | High | Yes |
Elevation of privilege vulnerability in Qualcomm crypto engine driver | CVE-2017-0520 | High | Yes |
Elevation of privilege vulnerability in Qualcomm camera driver | CVE-2017-0458 | High | Yes |
Elevation of privilege vulnerability in MediaTek APK | CVE-2017-0522 | High | No* |
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver | CVE-2017-0464 | High | Yes |
Elevation of privilege vulnerability in Synaptics touchscreen driver | CVE-2017-0524 | High | Yes |
Elevation of privilege vulnerability in Qualcomm IPA driver | CVE-2017-0456 | High | Yes |
Elevation of privilege vulnerability in HTC Sensor Hub Driver | CVE-2017-0526 | High | Yes |
Elevation of privilege vulnerability in NVIDIA GPU driver | CVE-2017-0307 | High | No* |
Elevation of privilege vulnerability in Qualcomm networking driver | CVE-2017-0463 | High | Yes |
Elevation of privilege vulnerability in kernel security subsystem | CVE-2017-0528 | High | Yes |
Elevation of privilege vulnerability in Qualcomm SPCom driver | CVE-2016-5856 | High | No* |
Information disclosure vulnerability in kernel networking subsystem | CVE-2014-8709 | High | Yes |
Information disclosure vulnerability in MediaTek driver | CVE-2017-0529 | High | No* |
Information disclosure vulnerability in Qualcomm bootloader | CVE-2017-0455 | High | Yes |
Information disclosure vulnerability in Qualcomm power driver | CVE-2016-8483 | High | Yes |
Information disclosure vulnerability in NVIDIA GPU driver | CVE-2017-0334 | High | Yes |
Denial of service vulnerability in kernel cryptographic subsystem | CVE-2016-8650 | High | Yes |
Elevation of privilege vulnerability in Qualcomm camera driver (device specific) | CVE-2016-8417 | Moderate | Yes |
Information disclosure vulnerability in Qualcomm Wi-Fi driver | CVE-2017-0461 | Moderate | Yes |
Information disclosure vulnerability in MediaTek video codec driver | CVE-2017-0532 | Moderate | No* |
Information disclosure vulnerability in Qualcomm video driver | CVE-2017-0533 | Moderate | Yes |
Information disclosure vulnerability in Qualcomm camera driver | CVE-2016-8413 | Moderate | Yes |
Information disclosure vulnerability in HTC sound codec driver | CVE-2017-0535 | Moderate | Yes |
Information disclosure vulnerability in Synaptics touchscreen driver | CVE-2017-0536 | Moderate | Yes |
Information disclosure vulnerability in kernel USB gadget driver | CVE-2017-0537 | Moderate | Yes |
Information disclosure vulnerability in Qualcomm camera driver | CVE-2017-0452 | Low | Yes |
* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.
While the latest patches have been published to the Android Open Source Project (AOSP) repository, it will take some time for other manufacturers to review and release the new security update for their respective devices.
Source: Google