Android security: Google's May update hits bugs with critical patches for Nexus, Pixel

Google's updates for Nexus and Pixel devices address critical bugs that could lead to remote code execution.
Written by Liam Tung, Contributing Writer

Pixel and supported Nexus devices should receive the complete patch in an over-the-air update in the coming days.

Image: CNET

Google has released its May security bulletin for Android with patches available for Nexus and Pixel devices.

As with previous updates, the May security update for Android is split into two patch levels. The one called 2017-05-01 is the partial security patch level while 2017-05-05 is the complete security patch level.

Owners of supported Nexus and Pixel devices should receive the complete patch in an over-the-air update in the coming days, or they can get it directly from Google's developer site. Android OEMs have the choice of distributing either update to end users.

As Google revealed last week, the Nexus 6 and Nexus 9, which were released in November 2014, will no longer be "guaranteed" to receive security updates after October 2017. The newer Pixel and Pixel XL handsets lose that guarantee after October 2019.

Google last year documented exact timeframes for when each Nexus model would stop receiving new versions of Android. A new table on Google's device support page offers the same clarification for security updates.

The table is easier to interpret than the previously available statement that, "Nexus devices get security updates for at least three years from when the device first became available on the Google Store, or at least 18 months from when the Google Store last sold the device, whichever is longer."

Apple doesn't offer an equivalent timetable of support deadlines for the iPhone and other iOS hardware, though typically it has provided updates for about four years. Instead, with each new release, it provides a list of devices that are compatible with the latest version of iOS.

This month's partial patch level addresses six critical issues affecting Android's Mediaserver component, which could lead to remote code execution.

"The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," Google notes.

The patch level also contains fixes for 14 other bugs with a lower severity rating.

The complete patch level brings fixes for 11 critical security flaws affecting various drivers, libraries and bootloaders, as well as dozens of fixes for less severe issues.

Read more about Google Android security

Editorial standards