Security Experts:

Google Patches 40 Vulnerabilities in Android

Google’s May 2016 security update for the Android operating system patches a total of 40 vulnerabilities, including many rated critical and high severity.

The list of critical issues includes another round of remote code execution flaws in mediaserver, and privilege escalation vulnerabilities in the Android debugger, the Qualcomm TrustZone component, the Qualcomm Wi-Fi driver, the kernel, and the NVIDIA video driver.

The mediaserver flaws allow an attacker to remotely execute code within the context of the mediaserver service. The privilege escalation weaknesses allow a local malicious application to execute arbitrary code in the context of the Android debugger or the kernel.

The critical vulnerabilities have been assigned the following CVE identifiers: CVE-2016-2428, CVE-2016-2429, CVE-2016-2430, CVE-2016-2431, CVE-2016-2432, CVE-2015-0569, CVE-2015-0570, CVE-2016-2434, CVE-2016-2435, CVE-2016-2436, CVE-2016-2437 and CVE-2015-1805.

The high severity issues patched by Google with this month’s Android updates include remote code execution vulnerabilities in the kernel and Bluetooth, and privilege elevation flaws in various Qualcomm components, Wi-Fi, mediaserver, the MediaTek Wi-Fi driver, and Binder. An information disclosure vulnerability in the Qualcomm tethering controller and a remote denial-of-service (DoS) vulnerability in the Qualcomm hardware codec have also been classified as having high severity.

The CVE identifiers assigned to these flaws are CVE-2016-2438, CVE-2016-2060, CVE-2016-2439, CVE-2016-2440, CVE-2016-2441, CVE-2016-2442, CVE-2016-2443, CVE-2015-0571, CVE-2016-2444, CVE-2016-2445, CVE-2016-2446, CVE-2016-2447, CVE-2016-2448, CVE-2016-2449, CVE-2016-2450, CVE-2016-2451, CVE-2016-2452, CVE-2016-2453 and CVE-2016-2454.

The Android update also resolves several moderate severity issues, including privilege escalation and information disclosure vulnerabilities. Only one of the 40 flaws patched this month has been rated as low severity - a DoS bug affecting the kernel.

The vulnerabilities patched by Google with the May 2016 update were reported between October 15, 2015, and March 23 by independent researchers and experts affiliated with Google, e2e-assure, C0re Team, FireEye, Qihoo 360, Search-Lab, Tencent, Trend Micro, Alibaba and Baidu.

A security update that includes patches for most of the flaws has been pushed out to Nexus devices. Google has notified its partners about the issues on April 4 or earlier, and it will publish the source code patches on the Android Open Source Project (AOSP) repository sometime over the next couple of days.

Google also announced that it has updated severity ratings in an effort to better align them with real world impact to users.

In addition to regular Android security updates, Google sometimes releases emergency patches to address critical vulnerabilities that require immediate attention. In March, the search giant issued an update to fix a local privilege escalation flaw that had been exploited by a rooting application.

Related: Android Ransomware Dropped via Towelroot, Hacking Team Exploits

Related: Google Patches Critical Vulnerabilities in Android

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.