Google Patches Critical Flaw in Android Mediaserver

Google on Monday released the latest set of updates for its Android operating system (OS), including fixes for five critical security vulnerabilities found in the popular mobile OS.

The January 2016 Nexus Security Bulletin resolves 12 security flaws in the mobile operating system, including two rated high risk and five moderate, in addition to the five rated as critical.

The most severe of the newly fixed bugs in Android is a remote code execution (RCE) vulnerability in Mediaserver, which could allow an attacker to cause memory corruption and remote code execution during media file and data processing of a specially crafted file. The issue has received the Common Vulnerability and Exposures ID (CVE) CVE-2015-6636 and affects Android 5.0, 5.1.1, 6.0, and 6.0.1 versions.

The mediaserver service has access to audio and video streams and privileges unavailable for third-party apps and is provided as a core part of Android with multiple applications being able to reach it with remote content, including MMS and browser playback of media. The issue was discovered by Google’s employees and builds LMY49F or later and Android 6.0 with Security Patch Level of January 1, 2016 or later address it.

The vulnerability appears to be similar in scope to the “Stagefright” vulnerability that was disclosed in July 2015, which affected nearly one billion Android devices. Google’s initial patch did not properly address the mediaserver service flaw.

Google committed to releasing monthly security fixes for the Android platform in August 2015. In September, a Stagefright exploit was released and Google patched a Stagefright 2.0 vulnerability in October, after it was discovered to affect the same libraries as the original issue.

Google’s latest Nexus Security Bulletin also resolves an elevation of privilege (EoP) flaw in the misc-sd driver from MediaTek (CVE-2015-6637) and an EoP issue in a kernel driver from Imagination Technologies (CVE-2015-6638), which could allow local malicious applications execute arbitrary code within the kernel, both rated critical.

The new set of security updates also resolves two critical EoP vulnerabilities in the Widevine QSEE TrustZone application (CVE-2015-6639 and CVE-2015-6647) that could enable a compromise, privileged application with access to QSEECOM to execute arbitrary code in the Trustzone context. Additionally, it patches a critical EoP in the kernel (CVE-2015-6640) that could enable a local malicious application to execute arbitrary code in the kernel.

The Security Bulletin fixes two flaws rated high risk, namely an EoP in the Bluetooth component (CVE-2015-6641) that could enable a remote device paired over Bluetooth to gain access to user’s contacts, and an information disclosure vulnerability in the kernel (CVE-2015-6642) that could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. Successful exploits could gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, Google said.

The five medium risk vulnerabilities resolved in the new set of patches include an EoP in Setup Wizard (CVE-2015-6643), which requires physical access to the device; an EoP in Wi-Fi (CVE-2015-5310), which could allow access to Wi-Fi service related information; an information disclosure vulnerability in Bouncy Castle (CVE-2015-6644); and a denial of service vulnerability in the SyncManager (CVE-2015-6645). The patch also reduces attack surface exposure on Nexus devices (CVE-2015-6646) by removing SysV IPC from the OS.

Google said its partners were notified on the issues about a month ago, while the source code for these patches will be released in Android Open Source Project (AOSP) repository within the next couple of days.

Last month, Google resolved 19 security vulnerabilities in the Android platform, five rated critical (), the most severe of which was also related to the mediaserver process. The company’s manufacturing partners have also started to adhere to the monthly cycle of security updates, including Samsung and BlackBerry, the latter releasing the first such set of patches on Dec. 1, 2015.