Users will be pleased to know that this month’s scheduled February patch has fixed 13 security flaws that were reported in the past, 11 of which have either high or critical severity rating. Info World reports that like always, Google has released its security fix for February which addressed problems on multiple remote code execution and elevation of privilege vulnerabilities.
The February patch also addressed multiple issues concerning some of its WiFi components that could be abused to allow remote code execution. According to Threat Post, the February patch was pushed out in builds LMY49G or later to Nexus devices and shared last Jan. 4 with carrier and manufacturer partners. The patches are expected to be unleashed to the Android Open Source Project within the next two days.
Meanwhile, Google has said it is unaware of public attacks against any of the vulnerabilities patched. Threat Post has further reported that these WiFi vulnerabilities can be exploited by sending a malicious wireless control message packet. These packets, in turn, corrupt the kernel memory and expose an Android device to remote code execution at the kernel level.
According to the advisory posted by Google, these vulnerabilities can be triggered when the attacker and the victim are in the same network. The tech giant further said that the issue is rated as a critical severity due to the possibility of remote code execution in the context of the kernel without even requiring any user interaction.
Also included in the 13 security flaws fixed by the latest February update are critical rated issues like elevation of privilege flaws in the Qualcomm performance module, Qualcomm WiFi driver and debugger daemon.
Meanwhile, those vulnerabilities rated with high severity included problems such as denial of service bugs in the Minikin library, an information disclosure vulnerability in the libmediaplayerservice component, elevation of privilege vulnerabilities in WiFi and media server.
Google has also addressed two moderate severity bugs that leave users vulnerable to attackers who could bypass factory reset protections in the setup wizard. So far, Info World reports that the Android Security team says that they have not received any reports of active customer exploitation of the newly reported issues.
The February patch is updated automatically to all Nexus devices but other Android based mobile phones have to wait for their manufacturers and carriers to roll out versions of the security fixes for their handsets. The said fix is also available from the Android Open Source Project repository for users who wants to update their devices themselves.