Google release Factory Images for Nexus Devices with April 2016 Security updates

Earlier today BlackBerry rolled out an update for the BlackBerry Priv which contained Google’s April 2016 Security updates.

Google have now released factory images with the same April security patch for Nexus devices.

You can now download the latest factory image from Google and flash it yourself.

The update is still Android 6.0.1, but carries a different version number depending which phone or tablet you are using.

The update is available for:

  • Nexus 5
  • Nexus 5X
  • Nexus 6P
  • Nexus 6
  • Nexus Player
  • Nexus 7
  • Nexus 9

The table below contains a list of security vulnerabilities, the Common Vulnerability and Exposures ID (CVE), and their assessed severity. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.
[table style=”table-striped”]

IssueCVESeverity
Remote Code Execution Vulnerability in DHCPCDCVE-2016-1503
CVE-2014-6060
Critical
Remote Code Execution Vulnerability in Media CodecCVE-2016-0834Critical
Remote Code Execution Vulnerability in MediaserverCVE-2016-0835
CVE-2016-0836
CVE-2016-0837
CVE-2016-0838
CVE-2016-0839
CVE-2016-0840
CVE-2016-0841
Critical
Remote Code Execution Vulnerability in libstagefrightCVE-2016-0842Critical
Elevation of Privilege Vulnerability in KernelCVE-2015-1805Critical
Elevation of Privilege Vulnerability in Qualcomm
Performance Module
CVE-2016-0843Critical
Elevation of Privilege Vulnerability in Qualcomm RF ComponentCVE-2016-0844Critical
Elevation of Privilege Vulnerability in KernelCVE-2014-9322Critical
Elevation of Privilege Vulnerability in IMemory Native InterfaceCVE-2016-0846High
Elevation of Privilege Vulnerability in Telecom ComponentCVE-2016-0847High
Elevation of Privilege Vulnerability in Download ManagerCVE-2016-0848High
Elevation of Privilege Vulnerability in Recovery ProcedureCVE-2016-0849High
Elevation of Privilege Vulnerability in BluetoothCVE-2016-0850High
Elevation of Privilege Vulnerability in Texas Instruments Haptic DriverCVE-2016-2409High
Elevation of Privilege Vulnerability in a Video Kernel DriverCVE-2016-2410High
Elevation of Privilege Vulnerability in Qualcomm
Power Management Component
CVE-2016-2411High
Elevation of Privilege Vulnerability in System_serverCVE-2016-2412High
Elevation of Privilege Vulnerability in MediaserverCVE-2016-2413High
Denial of Service Vulnerability in MinikinCVE-2016-2414High
Information Disclosure Vulnerability in Exchange ActiveSyncCVE-2016-2415High
Information Disclosure Vulnerability in MediaserverCVE-2016-2416
CVE-2016-2417
CVE-2016-2418
CVE-2016-2419
High
Elevation of Privilege Vulnerability in Debuggerd ComponentCVE-2016-2420Moderate
Elevation of Privilege Vulnerability in Setup WizardCVE-2016-2421Moderate
Elevation of Privilege Vulnerability in Wi-FiCVE-2016-2422Moderate
Elevation of Privilege Vulnerability in TelephonyCVE-2016-2423Moderate
Denial of Service Vulnerability in SyncStorageEngineCVE-2016-2424Moderate
Information Disclosure Vulnerability in AOSP MailCVE-2016-2425Moderate
Information Disclosure Vulnerability in FrameworkCVE-2016-2426Moderate
Information Disclosure Vulnerability in BouncyCastleCVE-2016-2427Moderate

[/table]
The most severe issue addressed is a vulnerability that could allow remote code execution when processing media files. These files can be sent to your phone by any means — email, web browsing MMS or instant messaging. Other critical issues patched are specific to the DHCP client, Qualcomm’s Performance Module and RF driver. These exploits could allow code to run that permanently compromises the device firmware, forcing the end user to need to re-flash the full operating system — if “platform and service mitigations are disabled for development proposes.”

Other vulnerabilities patched also include methods to bypass Factory Reset Protection, issues that could be exploited to allow denial of service attacks, and issues that allow code execution on devices with root. IT professionals will be happy to also see mail and ActiveSync issues that could allow access to “sensitive” information patched in this update.

Full details of the April 2016 Security Bulletin is available here.

Rapid Mobile

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.

 

By continuing to use our site or clicking I Accept, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.

 

You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.

 

Privacy Settings saved!
Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies.Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site.

We track anonymized user information to improve our website.
  • _ga
  • _gid
  • _gat

Decline all Services
Accept all Services