A security update for Android fixes 40 vulnerabilities that in the worst case allowed an attacker to install malicious apps or execute random code. Google released the update over-the-air for its Nexus devices. Users with an Android device of another vendor will have to wait till the patch is released for them too.
Google reports that 8 of the vulnerabilities were so serious that attackers could execute random code or install malicious apps. These vulnerabilities were in Mediaserver and several drivers of Qualcomm for the GPU, sound card and Wifi. Receiving a malicious MMS or visiting a malicious website was sufficient to become a victim of these vulnerabilities when exploited.
Other vulnerabilities allowed a malicious app, installed by the user, to elevate privileges or to retrieve sensitive data.
Google informed other Android device vendors about the vulnerabilities on the 2nd of May this year. It's however unknown when these vendor will release security patches. Google also reports that so far none of the vulnerabilities was exploited in the wild.
