As expect and right on time, Google has posted the February security update for Android Marshmallow today. The update takes the 6.0.1 build to version MMB29Q and it is now available for flashing on the Factory Images page of the developer site.
There are a lot of security fixes in this update, the biggest of which is a fix for remote code execution which was discovered in January.
The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The Remote Code Execution Vulnerability in Broadcom’s Wi-Fi driver is also Critical severity as it could allow remote code execution on an affected device while connected to the same network as the attacker.
Google points out in the security bulletin that they are not aware of any customers being impacted by this issue but is encouraging users to update as soon as the build is available to them.
In total there were six critical issues fixed in the release along with five high priority issues that were addressed. The six critical issues addressed
|emote Code Execution Vulnerability in Broadcom Wi-Fi Driver||CVE-2016-0801
|Remote Code Execution Vulnerability in Mediaserver||CVE-2016-0803
|Elevation of Privilege Vulnerability in Qualcomm Performance Module||CVE-2016-0805||Critical|
|Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver||CVE-2016-0806||Critical|
|Elevation of Privilege Vulnerability in the Debugger Daemon||CVE-2016-0807||Critical|
The security bulletin outlines in detail all of the fixes along with crediting those who helped fix or identify them.
For those who want to do it, you can flash your Nexus device to this new build immediately. If you want to wait for the OTA, it will be out in the next week or so and will start filtering to your device. Remember, if you are on a Nexus device that is carrier locked, it will be a longer wait.