Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches Critical Vulnerabilities in Android

Google has patched another series of Critical vulnerabilities in Android, including a remote code execution (RCE) flaw in mediaserver and several elevation of privilege (EoP) issues in various drivers and components.

Google has patched another series of Critical vulnerabilities in Android, including a remote code execution (RCE) flaw in mediaserver and several elevation of privilege (EoP) issues in various drivers and components.

The Internet giant included 16 security patches for 19 vulnerabilities in this month’s Nexus Security Bulletin, which is the eighth monthly update coming from the company since the Stagefright flaw was discovered in July last year to affect nearly 1 billion devices.

The Security Bulletin reveals that seven of these vulnerabilities were rated Critical, ten were rated High, and two Moderate. While many of these flaws were EoP issues, Google also resolved information disclosure bugs in the mobile OS, along with a mitigation bypass vulnerability, and a remote denial of service flaw.

Fortunately, Google said it has not had any reports of active customer exploitation of the newly patched vulnerabilities.

The new set of security updates for Android once again resolves vulnerabilities in mediaserver, the platform component that was affected by Stagefright and Stagefright 2.0 last year. This month, Google patched two RCE issues in it (CVE-2016-0815 and CVE-2016-0816), which could be exploited during the processing of a specially crafted media file, and which affect Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1.

Google also patched 4 EoP flaws affecting Conscrypt (CVE-2016-0818), the Qualcomm Performance Component (CVE-2016-0819), MediaTek Wi-Fi Driver (CVE-2016-0820), and Keyring Component (CVE-2016-0728). The issue with the MediaTek Wi-Fi Kernel Driver affects Android 6.0.1, while the other three were found in Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1.

The vulnerability in Conscrypt could allow a specific type of invalid certificate, issued by an intermediate Certificate Authority (CA), to be incorrectly trusted, which may enable a man in the middle attack. The other three could enable a local malicious application to execute arbitrary code within the kernel, with CVE-2016-0819 and CVE-2016-0728 possibly resulting in permanent device compromise.

Of the 10 High risk flaws resolved in the March Nexus Security Bulletin, one is a mitigation bypass vulnerability in the kernel (CVE-2016-0821), one a remote denial of service bug in Bluetooth (CVE-2016-0830), one EoP issue in MediaTek connectivity driver (CVE-2016-0822), and two EoP flaws in mediaserver (CVE-2016-0826 and CVE-2016-0827).

Advertisement. Scroll to continue reading.

Google also patched information disclosure vulnerabilities in kernel (CVE-2016-0823), libstagefright (CVE-2016-0824), Widevine (CVE-2016-0825), and mediaserver (CVE-2016-0828 and CVE-2016-0829). Most of these flaws affect Android 6.0 and 6.0.1 releases, but the ones in mediaserver were found in all Android versions starting with 4.4.4.

All of these issues have been addressed in Android Build LMY49H or later and Android 6.0 with Security Patch Level of March 1, 2016 or later, Google notes. The company notified its partners on these issues on February 1, 2016 or earlier and plans on publishing the source code patches for these issues to the Android Open Source Project (AOSP) repository in the next couple of days.

In August 2015, Google committed to regular, monthly updates for Nexus devices, and partner manufacturers such as Samsung and BlackBerry also announced plans to follow Google’s footsteps.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.