Earlier today BlackBerry rolled out an update for the BlackBerry Priv which contained Google’s April 2016 Security updates.
Google have now released factory images with the same April security patch for Nexus devices.
You can now download the latest factory image from Google and flash it yourself.
The update is still Android 6.0.1, but carries a different version number depending which phone or tablet you are using.
The update is available for:
Nexus 5 Nexus 5X Nexus 6P Nexus 6 Nexus Player Nexus 7 Nexus 9The table below contains a list of security vulnerabilities, the Common Vulnerability and Exposures ID (CVE), and their assessed severity. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed. [table style=”table-striped”]
Issue CVE Severity Remote Code Execution Vulnerability in DHCPCD CVE-2016-1503 CVE-2014-6060 Critical Remote Code Execution Vulnerability in Media Codec CVE-2016-0834 Critical Remote Code Execution Vulnerability in Mediaserver CVE-2016-0835 CVE-2016-0836 CVE-2016-0837 CVE-2016-0838 CVE-2016-0839 CVE-2016-0840 CVE-2016-0841 Critical Remote Code Execution Vulnerability in libstagefright CVE-2016-0842 Critical Elevation of Privilege Vulnerability in Kernel CVE-2015-1805 Critical Elevation of Privilege Vulnerability in Qualcomm Performance Module CVE-2016-0843 Critical Elevation of Privilege Vulnerability in Qualcomm RF Component CVE-2016-0844 Critical Elevation of Privilege Vulnerability in Kernel CVE-2014-9322 Critical Elevation of Privilege Vulnerability in IMemory Native Interface CVE-2016-0846 High Elevation of Privilege Vulnerability in Telecom Component CVE-2016-0847 High Elevation of Privilege Vulnerability in Download Manager CVE-2016-0848 High Elevation of Privilege Vulnerability in Recovery Procedure CVE-2016-0849 High Elevation of Privilege Vulnerability in Bluetooth CVE-2016-0850 High Elevation of Privilege Vulnerability in Texas Instruments Haptic Driver CVE-2016-2409 High Elevation of Privilege Vulnerability in a Video Kernel Driver CVE-2016-2410 High Elevation of Privilege Vulnerability in Qualcomm Power Management Component CVE-2016-2411 High Elevation of Privilege Vulnerability in System_server CVE-2016-2412 High Elevation of Privilege Vulnerability in Mediaserver CVE-2016-2413 High Denial of Service Vulnerability in Minikin CVE-2016-2414 High Information Disclosure Vulnerability in Exchange ActiveSync CVE-2016-2415 High Information Disclosure Vulnerability in Mediaserver CVE-2016-2416 CVE-2016-2417 CVE-2016-2418 CVE-2016-2419 High Elevation of Privilege Vulnerability in Debuggerd Component CVE-2016-2420 Moderate Elevation of Privilege Vulnerability in Setup Wizard CVE-2016-2421 Moderate Elevation of Privilege Vulnerability in Wi-Fi CVE-2016-2422 Moderate Elevation of Privilege Vulnerability in Telephony CVE-2016-2423 Moderate Denial of Service Vulnerability in SyncStorageEngine CVE-2016-2424 Moderate Information Disclosure Vulnerability in AOSP Mail CVE-2016-2425 Moderate Information Disclosure Vulnerability in Framework CVE-2016-2426 Moderate Information Disclosure Vulnerability in BouncyCastle CVE-2016-2427 Moderate[/table] The most severe issue addressed is a vulnerability that could allow remote code execution when processing media files. These files can be sent to your phone by any means  email, web browsing MMS or instant messaging. Other critical issues patched are specific to the DHCP client, Qualcomm’s Performance Module and RF driver. These exploits could allow code to run that permanently compromises the device firmware, forcing the end user to need to re-flash the full operating system  if “platform and service mitigations are disabled for development proposes.”
Other vulnerabilities patched also include methods to bypass Factory Reset Protection, issues that could be exploited to allow denial of service attacks, and issues that allow code execution on devices with root. IT professionals will be happy to also see mail and ActiveSync issues that could allow access to “sensitive” information patched in this update.
Full details of the April 2016 Security Bulletin is available here.
