Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Patches Critical Flaw in Android Mediaserver

Google on Monday released the latest set of updates for its Android operating system (OS), including fixes for five critical security vulnerabilities found in the popular mobile OS.

Google on Monday released the latest set of updates for its Android operating system (OS), including fixes for five critical security vulnerabilities found in the popular mobile OS.

The January 2016 Nexus Security Bulletin resolves 12 security flaws in the mobile operating system, including two rated high risk and five moderate, in addition to the five rated as critical.

The most severe of the newly fixed bugs in Android is a remote code execution (RCE) vulnerability in Mediaserver, which could allow an attacker to cause memory corruption and remote code execution during media file and data processing of a specially crafted file. The issue has received the Common Vulnerability and Exposures ID (CVE) CVE-2015-6636 and affects Android 5.0, 5.1.1, 6.0, and 6.0.1 versions.

The mediaserver service has access to audio and video streams and privileges unavailable for third-party apps and is provided as a core part of Android with multiple applications being able to reach it with remote content, including MMS and browser playback of media. The issue was discovered by Google’s employees and builds LMY49F or later and Android 6.0 with Security Patch Level of January 1, 2016 or later address it.

The vulnerability appears to be similar in scope to the “Stagefright” vulnerability that was disclosed in July 2015, which affected nearly one billion Android devices. Google’s initial patch did not properly address the mediaserver service flaw.

Google committed to releasing monthly security fixes for the Android platform in August 2015. In September, a Stagefright exploit was released and Google patched a Stagefright 2.0 vulnerability in October, after it was discovered to affect the same libraries as the original issue.

Google’s latest Nexus Security Bulletin also resolves an elevation of privilege (EoP) flaw in the misc-sd driver from MediaTek (CVE-2015-6637) and an EoP issue in a kernel driver from Imagination Technologies (CVE-2015-6638), which could allow local malicious applications execute arbitrary code within the kernel, both rated critical.

The new set of security updates also resolves two critical EoP vulnerabilities in the Widevine QSEE TrustZone application (CVE-2015-6639 and CVE-2015-6647) that could enable a compromise, privileged application with access to QSEECOM to execute arbitrary code in the Trustzone context. Additionally, it patches a critical EoP in the kernel (CVE-2015-6640) that could enable a local malicious application to execute arbitrary code in the kernel.

Advertisement. Scroll to continue reading.

The Security Bulletin fixes two flaws rated high risk, namely an EoP in the Bluetooth component (CVE-2015-6641) that could enable a remote device paired over Bluetooth to gain access to user’s contacts, and an information disclosure vulnerability in the kernel (CVE-2015-6642) that could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. Successful exploits could gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, Google said.

The five medium risk vulnerabilities resolved in the new set of patches include an EoP in Setup Wizard (CVE-2015-6643), which requires physical access to the device; an EoP in Wi-Fi (CVE-2015-5310), which could allow access to Wi-Fi service related information; an information disclosure vulnerability in Bouncy Castle (CVE-2015-6644); and a denial of service vulnerability in the SyncManager (CVE-2015-6645). The patch also reduces attack surface exposure on Nexus devices (CVE-2015-6646) by removing SysV IPC from the OS.

Google said its partners were notified on the issues about a month ago, while the source code for these patches will be released in Android Open Source Project (AOSP) repository within the next couple of days.

Last month, Google resolved 19 security vulnerabilities in the Android platform, five rated critical (), the most severe of which was also related to the mediaserver process. The company’s manufacturing partners have also started to adhere to the monthly cycle of security updates, including Samsung and BlackBerry, the latter releasing the first such set of patches on Dec. 1, 2015.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.