Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Fixes Critical Flaws in Latest Android Update

Google on Monday released its December 2015 Nexus Security Bulletin to patch 19 known vulnerabilities in the Android operating system, five of which are rated Critical.

Google on Monday released its December 2015 Nexus Security Bulletin to patch 19 known vulnerabilities in the Android operating system, five of which are rated Critical.

The most severe of the vulnerabilities resolved in this round of patches is a Critical security vulnerability that could enable remote code execution (RCE) on an affected device. The issue could be exploited when processing media files and provides attackers with multiple entry points, including email, web browsing, and MMS, Google explains in the Security Bulletin.

Four of the Critical vulnerabilities resolved in the update could result in RCE and reside in Mediaserver (CVE-2015-6616), Skia (CVE-2015-6617), and Display Driver (CVE-2015-6633 and CVE-2015-6634). The fifth is an Elevation of Privilege (EOP) vulnerability in Kernel (CVE-2015-6619). All of them affect Android 6.0 and older versions of the operating system, Google warns.

Earlier this year, Google patched another series of Critical vulnerabilities in the Mediaserver service, including the Stagefright issue that was revealed back in July by security firm Zimperium, and the Stagefright 2.0 flaw disclosed by the same security firm in late September. The first of them determined Google to commit to monthly security updates for Android, to patch similar issues in due time.

The newly patched RCE vulnerabilities in Android could be triggered during the playback of media files, as all of them could cause memory corruption. The elevation of privilege vulnerability in the system kernel could allow local malicious application to execute arbitrary code within the device root context, resulting in complete device compromise (devices could be repaired only by re-flashing the OS).

The December 2015 set of patches also resolves 12 vulnerabilities featuring High severity, including an RCE flaw in Bluetooth (CVE-2015-6618), EOP issues in libstagefright (CVE-2015-6620), SystemUI (CVE-2015-6621), Native Frameworks Library (CVE-2015-6622), Wi-Fi (CVE-2015-6623), and System Server (CVE-2015-6624), and information disclosure vulnerabilities in libstagefright (CVE-2015-6626, CVE-2015-6631, and CVE-2015-6632), Audio (CVE-2015-6627), Media Framework (CVE-2015-6628), and Wi-Fi (CVE-2015-6629).

The security update also resolves two Moderate issues in Android, namely an elevation of privilege vulnerability in System Server (CVE-2015-6625), and an information disclosure vulnerability in SystemUI (CVE-2015-6630). Google notes that the severity assessment is based on the effect that exploiting the vulnerability would have on an affected device, provided that platform and service mitigations are disabled.

All of these issues are addressed in software build LMY48Z or later and Android Marshmallow with Security Patch Level of December 1, 2015 or later, the security bulletin reveals. Google’s manufacturing partners received information on these issues on November 2, 2015, when they were also provide with updates for them. The source code patches for these issues will be released to the Android Open Source Project (AOSP) repository soon.

Advertisement. Scroll to continue reading.

Owners of Nexus devices should receive the new software update shortly. Manufacturers including Samsung, LG, and BlackBerry committed over the summer to push these updates to their users on a monthly basis, and BlackBerry released the first security patch for its Android-based PRIV devices last week.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.