Android is getting a new patch today, fixing a total of 23 vulnerabilities including two critical issues. The most serious of the vulnerabilities allows remote code execution through email, web browsing, and MMS. The patch also fixes a newly discovered vulnerability in the Stagefright library, listed as high rather than critical because of the difficulty of remote execution.
The patch includes bugs reported by Trend Micro, System Security Lab, and Keen Team, as well as Google's internal security teams. Partners were notified of the bugs by October 5th, and the patches will be published to the Android Open Source Project's code repository within 48 hours.
Samsung will deploy the patch immediately
It's the fourth monthly update since Android security began its monthly schedule, and the second since the Marshmallow release. As serious as the issues seem, they're fairly routine for a patch of this kind. By contrast, the latest iOS release fixed 49 vulnerabilities (including a kernel attack), coming less than 30 days after the 9.0.2 release. Each release contained some scary-sounding vulnerabilities, but they all represent a win for researchers, since they're being patched before they've been exploited in the wild.
The big question for Android users is how long it will take for the patch to reach every device. It's being deployed directly to Nexus devices, and Samsung has said it will push monthly patches immediately to Galaxy S, Note, and Tab models. LG made a similar announcement at this year's Black Hat conference. Other manufacturers like HTC and Sony have pushed out patches for specific bugs like Stagefright but haven't yet committed to the rolling updates.
If your Android phone is running Marshmallow, you can check to see if you've received the patch by looking for the Android Security Patch Level section of the Setting menu. If the date is November 1st or later, it means the patch is in place.