Google released its Android Security Bulletin for July with 108 patches overall.
The first patch, 2016-07-05, includes fixes for vulnerabilities found in Android OS.
Among these are seven critical RCE flaws affecting the Mediaserver component, which can end up triggered via email, web browsing, and MMS, by making the component process specially crafted media files, and a RCE flaw in OpenSSL and BoringSSL an attacker could leverage with a specially crafted file.
The rest are mostly elevation of privilege and information disclosure vulnerabilities in a variety of services, libraries, Bluetooth, and the Framework APIs.
A second security patch level – 2016-07-05 – contains patches for vulnerabilities and for device specific ones.
Among these are mostly elevation of privilege vulnerabilities affecting Qualcomm, NVIDIA and MediaTek drivers and components, and some kernel flaws.
None of the fixed flaws can end up misused to break Android’s Full-Disk Encryption (FDE).
The good news is there is no indication that any of the fixed issues are undergoing exploitation.
“This bulletin has two security patch level strings in order to provide Android partners with the flexibility to move more quickly to fix a subset of vulnerabilities that are similar across all Android devices,” Google said in a blog post.
“Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level string.”
Users of smartphones running Android but are not manufactured by Google will have to wait for their manufacturer or carriers to push out the patches.