Google has published its October Android security bulletin and is rolling out the OTA update to Nexus and Pixel devices.
It’s also introduced a new way of handling its security bulletins. As usual it’s publishing a monthly Android security bulletin with details about a partial patch level and complete patch level, But it’s now introduced a new ‘Pixel/Nexus bulletin’ that documents additional bugs fixed in these devices.
Due to this change, the October update is light compared with previous updates, detailing fixes for just eight vulnerabilities affecting the Android operating system and six for other components related to the kernel, and drivers for MediaTek and Qualcomm hardware.
By comparison, the partial September patch level for Android fixed 34 security flaws, with dozens more documented fixes in hardware drivers, the kernel and other components for the complete patch level.
The eight Android vulnerabilities are addressed in the patch level dated 2017-10-01 while remaining six are fixed in the complete patch level dated 2017-10-05.
Google’s new Pixel/Nexus security bulletin contains details about further vulnerabilities in both Android and other components as well as “functional improvements” that are only addressed these devices.
Google lists a further 38 security vulnerabilities in the Pixel/Nexus bulletin for the 2017-10-05 patch level, which affect Android, and components from Broadcom, HTC, Huawei, Motorola, and Qualcomm. There were no functional improvements in this update.
Android device makers have the option to address issues listed in the Pixel/Nexus bulletin, but don’t need to fix them to state their devices are up to date with the latest patch level.
“Security vulnerabilities that are documented in [the Android] security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in device / partner security bulletins are not required for declaring a security patch level,” Google explains in a Q&A section about the new bulletin.
Presumably this move is to help Android devices makers fix the most important bugs more quickly. Notably, none of the bugs in the Pixel/Nexus bulletin is rated as “critical”.
Google counts the Pixel/Nexus bulletin as a ‘device/partner’ bulletin like the monthly security bulletins from Samsung and LG.
Samsung has already published its October bulletin, detailing Google patches from the Android security bulletin, and six further flags affecting Samsung devices. The company in September launched its mobile bug bounty, offering researchers between $200 and $200,000 for reporting bugs affecting select Galaxy handsets and tablets.
The 2017-10-01 patch level also has a fix for the masqdns Domain Name System (DNS) software that affected a number of Google’s own services and the Google-created Kubernetes containerization automation software.