At https://developers.google.com/android/nexus/drivers, Google has delivered (as promised) binaries for the three Nexus devices.
- “angler” for Nexus 6P (Huawei)
- “bullhead” for Nexus 5X (LG)
- “shamu” for Nexus 6 (Motorola)
The Android Security Group seems to have taken their purpose seriously. CVE-2015-6608 through CVE-2015-6614 are addressed. That means the vulnerabilities that were discovered in the past few months (Google sent advisories to carriers and OEM’s less than a month ago) have been addressed with code to rectify the situation…for these devices. Google and team Android should be recognized for their efforts.
To solve the challenge of mitigating Android vulnerabilities, their Damage Control plan included monthly patch schedule, transparency, detailed information about the severity of the vulnerability and they are a couple of days early making good on that plan.
From the Android Security Group:
Security Vulnerability Details
In the sections below, we provide details for each of the security vulnerabilities listed in the Security Vulnerability Summary above. There is a description of the issue, a severity rationale, and a table with the CVE, associated bug, severity, affected versions, and date reported. Where available, we’ve linked the AOSP commit that addressed the issue to the bug ID. When multiple changes relate to a single bug, additional AOSP references are linked to numbers following the bug ID.
Remote Code Execution Vulnerabilities in Mediaserver
During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.
The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
This issue is rated as a Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.