Google on Monday released its December 2015 Nexus Security Bulletin to patch 19 known vulnerabilities in the Android operating system, five of which are rated Critical.
The most severe of the vulnerabilities resolved in this round of patches is a Critical security vulnerability that could enable remote code execution (RCE) on an affected device. The issue could be exploited when processing media files and provides attackers with multiple entry points, including email, web browsing, and MMS, Google explains in the Security Bulletin.
Four of the Critical vulnerabilities resolved in the update could result in RCE and reside in Mediaserver (CVE-2015-6616), Skia (CVE-2015-6617), and Display Driver (CVE-2015-6633 and CVE-2015-6634). The fifth is an Elevation of Privilege (EOP) vulnerability in Kernel (CVE-2015-6619). All of them affect Android 6.0 and older versions of the operating system, Google warns.
Earlier this year, Google patched another series of Critical vulnerabilities in the Mediaserver service, including the Stagefright issue that was revealed back in July by security firm Zimperium, and the Stagefright 2.0 flaw disclosed by the same security firm in late September. The first of them determined Google to commit to monthly security updates for Android, to patch similar issues in due time.
The newly patched RCE vulnerabilities in Android could be triggered during the playback of media files, as all of them could cause memory corruption. The elevation of privilege vulnerability in the system kernel could allow local malicious application to execute arbitrary code within the device root context, resulting in complete device compromise (devices could be repaired only by re-flashing the OS).
The December 2015 set of patches also resolves 12 vulnerabilities featuring High severity, including an RCE flaw in Bluetooth (CVE-2015-6618), EOP issues in libstagefright (CVE-2015-6620), SystemUI (CVE-2015-6621), Native Frameworks Library (CVE-2015-6622), Wi-Fi (CVE-2015-6623), and System Server (CVE-2015-6624), and information disclosure vulnerabilities in libstagefright (CVE-2015-6626, CVE-2015-6631, and CVE-2015-6632), Audio (CVE-2015-6627), Media Framework (CVE-2015-6628), and Wi-Fi (CVE-2015-6629).
The security update also resolves two Moderate issues in Android, namely an elevation of privilege vulnerability in System Server (CVE-2015-6625), and an information disclosure vulnerability in SystemUI (CVE-2015-6630). Google notes that the severity assessment is based on the effect that exploiting the vulnerability would have on an affected device, provided that platform and service mitigations are disabled.
All of these issues are addressed in software build LMY48Z or later and Android Marshmallow with Security Patch Level of December 1, 2015 or later, the security bulletin reveals. Google’s manufacturing partners received information on these issues on November 2, 2015, when they were also provide with updates for them. The source code patches for these issues will be released to the Android Open Source Project (AOSP) repository soon.
Owners of Nexus devices should receive the new software update shortly. Manufacturers including Samsung, LG, and BlackBerry committed over the summer to push these updates to their users on a monthly basis, and BlackBerry released the first security patch for its Android-based PRIV devices last week.