If you use a mobile device that runs the Google Android operating system, take note. In its May 2016 Android security update, Google fixed many vulnerabilities but several still linger. ZD Net reported:
"The search and mobile giant on Monday released its monthly round of Android security fixes, with one persistent flaw at the top of the list: a "critical" security vulnerability in mediaserver, a part of Android that finds and indexes media files stored on the device. Almost every month since Google began pushing out monthly security patches, researchers have found a new problem in the bug-ridden Android component."
"Bug-ridden" does not sound good. ZD Net explained:
"According to the bulletin, the two flaws "could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," though the flaw is mitigated slightly because Google Hangouts and Messenger apps can't trigger the flaw. In other words, an attacker can run malware on a device by exploiting the mediaserver, because the service has access to privileged parts of the device which other apps don't have."
Corporate information technology managers at companies with "BYOD" (a//k/a Bring Your Own Device) policies for their employees can't be happy with this security situation. What can consumers make of this security situation? ZD Net explained in May 2015:
"The problem is that most devices are never updated. The one exception is Google's own brand of phones, the Nexus line-up, which remain continually updated with the latest patches and fixes... Android remains the most popular mobile operating system in the world with over 81 percent of the worldwide market share. But only a fraction of Android's share is running the software's latest version, with the latest bug fixes, vulnerability patches, and security updates. Official stats say just shy of 10 percent are using Android 5.0 "Lollipop," with about 39 percent running the second latest version, Android 4.4 "KitKat"... That's because not everyone gets the updates. Some Android devices aren't deemed compatible. That includes updates that include incremental security fixes (and features) known to mitigate malware threats and data leaks. And it's not Google that determines who gets an upgrade. Google leaves it up to the carriers. Carriers argue they need to test Android updates to determine whether or not a device will get an upgrade. When it's not the carriers, it's the phone makers..."
So, security takes a backseat to profits. Shop wisely for a device (and wireless provider) that includes all security updates.