Google releases March Android security update; new Pixel and Nexus factory images available

Google has published its latest monthly Android security bulletin, and released new factory and OTA images for supported Nexus and Pixel devices. The March 2017 update comes almost exactly one month after the February security patches were detailed.

Google says that all of the vulnerabilities disclosed in its latest bulletin were revealed to its partners on February 6, 2017 or earlier. "Security patch levels of March 05, 2017 or later address all of these issues," it added.

There are two separate security patch level strings in the new bulletin "to provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices", Google explained. However, it also pointed out that "supported Google devices will receive a single OTA update with the March 05, 2017 security patch level".

That OTA update has begun to roll out today to Google devices; the latest OTA binary image files for supported Nexus and Pixel devices can be found here on Google"s site, and the new factory images are available here.

Details of the vulnerabilities and issues addressed in the latest security update follow below:

2017-03-01 security patch level—Vulnerability summary

Security patch levels of 2017-03-01 or later must address the following issues.

Issue Common
Vulnerability & Exposures ID
Severity Affects
Google devices?

Remote code execution vulnerability in OpenSSL & BoringSSL

CVE-2016-2182

Critical

Yes

Remote code execution vulnerability in Mediaserver

CVE-2017-0466
CVE-2017-0467
CVE-2017-0468
CVE-2017-0469
CVE-2017-0470
CVE-2017-0471
CVE-2017-0472
CVE-2017-0473
CVE-2017-0474

Critical

Yes

Elevation of privilege vulnerability in recovery verifier

CVE-2017-0475

Critical

Yes

Remote code execution vulnerability in AOSP Messaging

CVE-2017-0476

High

Yes

Remote code execution vulnerability in libgdx

CVE-2017-0477

High

Yes

Remote code execution vulnerability in Framesequence library

CVE-2017-0478

High

Yes

Elevation of privilege vulnerability in Audioserver

CVE-2017-0479
CVE-2017-0480

High

Yes

Elevation of privilege vulnerability in NFC

CVE-2017-0481

High

Yes

Denial of service vulnerability in Mediaserver

CVE-2017-0482
CVE-2017-0483
CVE-2017-0484
CVE-2017-0485
CVE-2017-0486
CVE-2017-0487
CVE-2017-0488

High

Yes

Update: Denial of service vulnerability in Mediaserver

CVE-2017-0390

High

Yes

Update: Denial of service vulnerability in Mediaserver

CVE-2017-0392

High

Yes

Elevation of privilege vulnerability in Location Manager

CVE-2017-0489

Moderate

Yes

Elevation of privilege vulnerability in Wi-Fi

CVE-2017-0490

Moderate

Yes

Elevation of privilege vulnerability in Package Manager

CVE-2017-0491

Moderate

Yes

Elevation of privilege vulnerability in System UI

CVE-2017-0492

Moderate

Yes

Information disclosure vulnerability in AOSP Messaging

CVE-2017-0494

Moderate

Yes

Information disclosure vulnerability in Mediaserver

CVE-2017-0495

Moderate

Yes

Denial of service vulnerability in Setup Wizard

CVE-2017-0496

Moderate

Yes

Denial of service vulnerability in Mediaserver

CVE-2017-0497

Moderate

Yes

Denial of service vulnerability in Setup Wizard

CVE-2017-0498

Moderate

No*

Denial of service vulnerability in Audioserver

CVE-2017-0499

Low

Yes

* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.

2017-03-05 security patch level—Vulnerability summary

Security patch levels of 2017-03-05 or later must address all of the 2017-03-01 issues, as well as the following issues.

Issue Common
Vulnerability & Exposures ID
Severity Affects
Google
devices?

Elevation of privilege vulnerability in MediaTek components

CVE-2017-0500
CVE-2017-0501
CVE-2017-0502
CVE-2017-0503
CVE-2017-0504
CVE-2017-0505
CVE-2017-0506

Critical

Yes

Elevation of privilege vulnerability in NVIDIA GPU driver

CVE-2017-0337
CVE-2017-0338
CVE-2017-0333
CVE-2017-0306
CVE-2017-0335

Critical

Yes

Elevation of privilege vulnerability in kernel ION subsystem

CVE-2017-0507
CVE-2017-0508

Critical

Yes

Elevation of privilege vulnerability in Broadcom Wi-Fi driver

CVE-2017-0509

Critical

No*

Elevation of privilege vulnerability in kernel FIQ debugger

CVE-2017-0510

Critical

Yes

Elevation of privilege vulnerability in Qualcomm GPU driver

CVE-2016-8479

Critical

Yes

Elevation of privilege vulnerability in kernel networking subsystem

CVE-2016-9806
CVE-2016-10200

Critical

Yes

Vulnerabilities in Qualcomm components

CVE-2016-8484
CVE-2016-8485
CVE-2016-8486
CVE-2016-8487
CVE-2016-8488

Critical

No*

Elevation of privilege vulnerability in kernel networking subsystem

CVE-2016-8655
CVE-2016-9793

High

Yes

Elevation of privilege vulnerability in Qualcomm input hardware driver

CVE-2017-0516

High

Yes

Elevation of privilege vulnerability in MediaTek Hardware Sensor Driver

CVE-2017-0517

High

No*

Elevation of privilege vulnerability in Qualcomm ADSPRPC driver

CVE-2017-0457

High

Yes

Elevation of privilege vulnerability in Qualcomm fingerprint sensor driver

CVE-2017-0518
CVE-2017-0519

High

Yes

Elevation of privilege vulnerability in Qualcomm crypto engine driver

CVE-2017-0520

High

Yes

Elevation of privilege vulnerability in Qualcomm camera driver

CVE-2017-0458
CVE-2017-0521

High

Yes

Elevation of privilege vulnerability in MediaTek APK

CVE-2017-0522

High

No*

Elevation of privilege vulnerability in Qualcomm Wi-Fi driver

CVE-2017-0464
CVE-2017-0453
CVE-2017-0523

High

Yes

Elevation of privilege vulnerability in Synaptics touchscreen driver

CVE-2017-0524

High

Yes

Elevation of privilege vulnerability in Qualcomm IPA driver

CVE-2017-0456
CVE-2017-0525

High

Yes

Elevation of privilege vulnerability in HTC Sensor Hub Driver

CVE-2017-0526
CVE-2017-0527

High

Yes

Elevation of privilege vulnerability in NVIDIA GPU driver

CVE-2017-0307

High

No*

Elevation of privilege vulnerability in Qualcomm networking driver

CVE-2017-0463
CVE-2017-0460

High

Yes

Elevation of privilege vulnerability in kernel security subsystem

CVE-2017-0528

High

Yes

Elevation of privilege vulnerability in Qualcomm SPCom driver

CVE-2016-5856
CVE-2016-5857

High

No*

Information disclosure vulnerability in kernel networking subsystem

CVE-2014-8709

High

Yes

Information disclosure vulnerability in MediaTek driver

CVE-2017-0529

High

No*

Information disclosure vulnerability in Qualcomm bootloader

CVE-2017-0455

High

Yes

Information disclosure vulnerability in Qualcomm power driver

CVE-2016-8483

High

Yes

Information disclosure vulnerability in NVIDIA GPU driver

CVE-2017-0334
CVE-2017-0336

High

Yes

Denial of service vulnerability in kernel cryptographic subsystem

CVE-2016-8650

High

Yes

Elevation of privilege vulnerability in Qualcomm camera driver (device specific)

CVE-2016-8417

Moderate

Yes

Information disclosure vulnerability in Qualcomm Wi-Fi driver

CVE-2017-0461
CVE-2017-0459
CVE-2017-0531

Moderate

Yes

Information disclosure vulnerability in MediaTek video codec driver

CVE-2017-0532

Moderate

No*

Information disclosure vulnerability in Qualcomm video driver

CVE-2017-0533
CVE-2017-0534
CVE-2016-8416
CVE-2016-8478

Moderate

Yes

Information disclosure vulnerability in Qualcomm camera driver

CVE-2016-8413
CVE-2016-8477

Moderate

Yes

Information disclosure vulnerability in HTC sound codec driver

CVE-2017-0535

Moderate

Yes

Information disclosure vulnerability in Synaptics touchscreen driver

CVE-2017-0536

Moderate

Yes

Information disclosure vulnerability in kernel USB gadget driver

CVE-2017-0537

Moderate

Yes

Information disclosure vulnerability in Qualcomm camera driver

CVE-2017-0452

Low

Yes

* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability.

While the latest patches have been published to the Android Open Source Project (AOSP) repository, it will take some time for other manufacturers to review and release the new security update for their respective devices.

Source: Google

Report a problem with article
Next Article

Office Insiders get Touch Bar support for Outlook on the Mac

Previous Article

Microsoft Access is getting support for Large Numbers