Google patches multiple critical flaws in Android

Google's February security patch bundle for Android on Nexus devices closes multiple critical and high severity bugs, but the updates are only available for newer Nexus devices.

The company released images of patched Nexus firmware and said builds LMY49G and later, as well as Android M, contain the fixes.

Older devices such as the Nexus Q media player and versions 4 and 7 of the Nexus smartphone are among those that have not had their firmware updated. It is not clear if Google will include security patches for the devices.

The patches will be released shortly to the Android Open Source Project so other vendors can apply them, Google said.

Seven vulnerabilities are marked as critical, and two - CVE-2016-0801 and 0802 - affect the Broadcom wi-fi driver in Android. They refer to multiple remote code execution flaws that allow attackers on the same wireless network to send specially crafted control message packets that corrupt kernel memory. This allows the attacker to run code at the same privilege as the Android operating system kernel, without user interaction and notification.

Google was notified of the Broadcom wi-fi driver flaws on October 26 last year, with Android versions 4.4.4, 5.0, 5.1.1, 6.0 and 6.0.1 affected and updated.

The Android mediaserver component continues to cause security grief, with two new remote code execution critical vulnerabilities that can be exploited with multimedia messages (MMS), email and browser playback of media, similar to the Stagefright bug.

Three privilege escalation bugs, also deemed critical, are patched in the latest security update. Google said they could be used for local, permanent device compromises, with the device operating system needing to be reflashed to repair it.

A further four are rated high severity, with one considered a moderate risk.