Google has patched a whopping 39 flaws in its latest security update round, including eight critical fixes for components such as libstagefright and Mediaserver.
The Nexus Security Bulletin for April will as usual be released over-the-air for Google’s own handsets and was made available to its hardware partners in mid-March for them to work on their own fixes.
The update noted the following:
“The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.”
In fact, there are 15 critical flaws in total fixed in the update, 11 of which are RCE – seven of these relating to Mediaserver.
The remaining three are elevation of privilege flaws, with one each in the Qualcomm Performance Module and the Qualcomm RF Component.
There are 10 high severity elevation of privilege flaws and four high severity information disclosure flaws in Mediaserver.
The remaining fixes are for a mix of moderate elevation of privilege, denial of service and information disclosure bugs.
Google has certainly been making strides to improve the security of the Android ecosystem of late.
In June 2015, for example, it launched the Android Security Rewards program, offering to pay for each step required to fix a security bug in Nexus devices, including patches and tests.
However, users may be shooting themselves in the foot by failing to keep up-to-date with the latest software versions.
A Duo Security report analyzing around one million devices at the start of the year found that a staggering 90% were running old versions of Android.
More concerning still, around a third of Android handsets used in enterprises today are running version 4.0 or older of the OS, leaving them even more exposed to vulnerabilities like Stagefright.