Good news if you’ve got a Nexus, otherwise you’re at risk
Another month, another patching cycle for Android.

Google’s mobile OS has picked up seven critical patches, ten classed as high priority, and a pair of moderately important fixes.
In short, playing back a booby-trapped video or receiving a message with malware hidden in it could lead to malicious code running on a vulnerable Android device that hasn’t been patched.

“We have had no reports of active customer exploitation of these newly reported issues,” the March advisory states.
“Partners were notified about the issues described in the bulletin on February 1, 2016 or earlier.
Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours.”
Most of the critical flaws were found by Google’s internal security team, and nearly half deal with programming blunders in Android’s Swiss-cheese-like mediaserver library, some directly and some indirectly via libvpx.
Being able to inject malware into mediaserver, via a message or video, is bad because, according to Google, “the mediaserver service has access to audio and video streams as well as access to privileges that third-party apps could not normally access.”
A critical flaw in Qualcomm’s implementation on Android would also lead to a permanent root that would require re-flashing the operating system to fix.

The same drastic fix would also be needed if the kernel keyring component flaw isn’t fixed.
Meanwhile, moves to strengthen Android against the attacks involving libstagefright only get a high severity rating, as do yet more fixes for Mediaserver.

The full list of bugs – some reaching as far back as Android 4.4 as well as versions 5 and 6 – are below:
Issue
CVE
Severity
Remote Code Execution Vulnerability in Mediaserver
CVE-2016-0815, CVE-2016-0816
Critical
Remote Code Execution Vulnerabilities in libvpx
CVE-2016-1621
Critical
Elevation of Privilege in Conscrypt
CVE-2016-0818
Critical
Elevation of Privilege Vulnerability in the Qualcomm Performance Component
CVE-2016-0819
Critical
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver
CVE-2016-0820
Critical
Elevation of Privilege Vulnerability in Keyring Component
CVE-2016-0728
Critical
Mitigation Bypass Vulnerability in the Kernel
CVE-2016-0821
High
Elevation of Privilege in MediaTek Connectivity Driver
CVE-2016-0822
High
Information Disclosure Vulnerability in Kernel
CVE-2016-0823
High
Information Disclosure Vulnerability in libstagefright
CVE-2016-0824
High
Information Disclosure Vulnerability in Widevine
CVE-2016-0825
High
Elevation of Privilege Vulnerability in Mediaserver
CVE-2016-0826, CVE-2016-0827
High
Information Disclosure Vulnerability in Mediaserver
CVE-2016-0828, CVE-2016-0829
High
Remote Denial of Service Vulnerability in Bluetooth
CVE-2016-0830
High
Information Disclosure Vulnerability in Telephony
CVE-2016-0831
Moderate
Elevation of Privilege Vulnerability in Setup Wizard
CVE-2016-0832
Moderate
The vast majority of Android users aren’t going to be getting these updates soon enough, however. Nexus owners will get a push this week, and Samsung’s better than most at pushing out fixes, but some other handset owners may carry these flaws until they upgrade their hardware.
In the meantime, the malware writers will be getting busy reverse-engineering the Android patches and designing code to exploit the flaws.
In the PC sphere this can take as little as 48 hours, although for mobile it’s taking a little longer. ®
Sponsored: DevOps: hidden risks and how to achieve results