Google has released the February Security Update for Android that patches multiple security vulnerabilities discovered in the latest version of Android operating system.
In total, there were five βcriticalβ security vulnerabilities fixed in the release along with four βhighβ severity and one merely βmoderateβ issues.
A set of two critical vulnerabilities has been found in the Broadcom WiFi driverthat could be exploited by attackers to perform _Remote Code Execution (RCE) _on affected Android devices when connected to the same network as the attacker.
The vulnerabilities (CVE-2016-0801 and CVE-2016-0802) can be exploited by sending specially crafted wireless control message packets that can corrupt kernel memory, potentially leading to remote code execution at the kernel level.
> _βThese vulnerabilities can be triggered when the attacker and the victim are associated with the same network,β _reads the advisory. βThis issue is rated as a Critical severity due to the possibility of remote code execution in the context of the kernel without requiring user interaction.β
Another set of two critical security vulnerabilities were discovered in Mediaserver that was targeted last summer by critical Stagefright vulnerabilities and exploits, allowing anyone to compromise an Android device by sending just a specially crafted MMS message.
The recently discovered flaws (CVE-2016-0803 and CVE-2016-0804) in Mediaserver could enable remote code execution (RCE) on affected Android devices through email, web browsing, or MMS files when processing media files.
Moreover, a separate vulnerability called elevation of privilege (CVE-2016-0810) was also discovered in Mediaserver that could be exploited to gain elevated capabilities, including _Signature _or SignatureOrSystem permissions privileges, that arenβt accessible to third-party apps.
Two Elevation of Privilege vulnerabilities has also been found in Qualcomm components: the Qualcomm Performance Module (CVE-2016-0805) and theQualcomm Wi-Fi Driver (CVE-2016-0806). Both the flaws, rated as critical, leveraged an attacker to launch further attacks.
Another critically rated bug (CVE-2016-0807) discovered in the Debuggerdcomponent could open the door to execute arbitrary code within the deviceβs root level. Debuggerd is a software tool used for debugging and analyzing Android crashes.
The final set of vulnerabilities is an Elevation of Privilege flaw in Setup Wizard that could allow a hacker to bypass the Factory Reset Protection and gain access to the affected device.
All the Security patches are currently made available for Nexus devices only. Google also shared the patches with carrier and manufacturer partners on January 4, but users of other Android devices should have to wait until their devices receive an update.
Nexus device users are advised to patch the flaws by flashing their devices to this new build immediately. Users can also wait for the OTA (Over-the-Air) update that will be out in the next week or so.