Every single month Google releases a new security patch for Android, pushing the software out to Nexus devices, while other manufacturers take care of sending these updates out to their own products. September’s patch is now on the way to Nexus devices, Android One phones, and the Pixel C tablet, and it’s broken up into three separate levels of security. The reason Google has done this is to allow manufacturers the capability to push updates to their devices faster, as each security patch level offers a little something different, but more specifically each patch level offers a little more security than the previous one.
This type of release makes it possible for manufacturers to push out the update for the earliest patch level at an earlier time as it carries a couple of less fixes so there is less to incorporate. It also allows manufacturers to pick and choose which security patch is a best fit for their devices. Moreover, manufacturers can start by pushing the first security patch level as soon as possible while taking a little extra time to work with the third and more secure patch level and push it out at a later date if needed.
In addition to breaking things up to make the security patches easier to work with for manufacturers, The Verge notes that the September security patch also introduces fixes that do away with the risk of Stagefright vulnerabilities as Google has re-worked the mediaserver with this month’s update. If you’re familiar with Stagefright, the mediaserver was the part of the system that was at risk from malicious attacks by way of MMS messages. Prior to this update, the mediaserver was built in such a way that it was at risk from exploits using MMS or Hangouts. Google has rebuilt the media playback system with Android 7.0 Nougat and is beginning to push those changes out to Android along with September’s security patch, which essentially means that devices who have installed this latest patch will be protected against any variations of Stagefright. The way this works is that the rebuilt mediaserver now immediately scans for the core attack used in Stagefright. In regards to the three different security patch levels, the first was labeled for September 1st, while the second was labeled for September 5th, with the third and final patch level being labeled for today, September 6th. As always the security patches are available to install on your Nexus devices through a factory image or OTA image from Google, but the software patches will also be pushed out to devices over-the-air.