Google has fixed 19 bugs in Android in its March update, including two remote code-execution bugs in its problematic and privileged Mediaserver service.
Mediaserver, often blamed for battery drain on Android devices, is yet again the source of the worst flaws affecting up-to-date Android devices.
For this month's update, Google's own security teams discovered two new critical flaws in the service that could be used to cause remote code execution by sending a rigged email, MMS, or a media file played through the browser. Google also identified another related critical flaw in libvpx.
The March update includes fixes for a total of seven critical flaws, 10 high-impact bugs, and two moderate issues.
Five of the seven critical bugs affect Android dating back to KitKat version 4.4.4.
The good news for Nexus device owners is that an over-the-air update has been pushed out to devices and the issues are fixed in Android M with Security Patch Level of March 01, 2016. For the Nexus 10's Android 5.1.1, build LMY49H also addresses the issues.
The bad news for overall Android security is that the vast majority of devices won't see the updates.
Android device owners still running Android KitKat will probably remain vulnerable to the latest Mediaserver bugs until they buy a new handset. Two-year-old KitKat still powers 35 percent of all Android devices, while Android M only accounts for 1.2 percent.
Still, Google's Nexus updates have helped Android partners keep Android 5.1 Lollipop devices secure during the slow transition to Android M.
Google says partners such as Samsung, LG, Sony, and BlackBerry were notified of the March fixes by February 1. Also, Google noted that it was not aware of any of the bugs being exploited.
Since kicking off its Android monthly patches, Samsung has generally taken about three weeks to deliver its Google's updates for its newer Galaxy devices.
BlackBerry has been first off the mark to deliver Google's patches and has already delivered the March updates to its Android-powered Priv handsets.