Google has finally released official system images for the September Android security update, after reports of OTA updates already being rolled out started coming in earlier this week. The September Android security patch can now be installed on compatible Nexus and Pixel devices, and it's crucial that you download it, as it brings along the fix for the critical BlueBorne Bluetooth attack.
BlueBorne was uncovered by IoT security firm Armis Labs earlier this week, and apart from Android, it has the potential to exploit Windows, Linux, and few iOS devices as well. The attack vector can infect over 5.3 billion devices out there via Bluetooth, and it doesn't even need to pair with a device to infect it. All it needs is for Bluetooth to be turned on, and then it can spread malware freely without letting the affected user know about it.
Thankfully, the September security patch resolves this issue for Pixel, Pixel XL, Pixel C - Nexus 6P, Nexus 6, Nexus 5X, and Nexus 9. Interestingly, the Nexus Player images haven't been released by Google yet. All the other Android devices which are also vulnerable to the exploit need to rely on their OEMs to roll out the the September Android security update to them, thanks to the open source nature of Android. Hopefully, OEMs will take this threat seriously and roll out a fix soon.
If you haven't already received an OTA update, you can wait for one to arrive on your device. Alternatively, the OTA zip files and factory images are also available Google's developer site, and you can install them manually, if you don't wish to wait. If you choose to make use of factory images, you'll need an unlocked device and be willing to reset the unit. OTA files, on the other hand, can be installed on a locked phone or tablet as well, and do not require users to backup their data or reset their device.
Overall, the September Android security update resolves 30 issues dated 2017-09-01, and 51 issues in the one dated 2017-09-05. Vulnerabilities range from moderate to critical, and Google particularly notes that it provides "Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices."
All devices running on iOS 9.3.5 and above are vulnerable, but fortunately, Apple has released a patch for this with iOS 10, fixing all issues. Microsoft also released an update recently to close this bug, and Armis said it is still not aware of a Linux fix, but it expects it to be released soon.