Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Patches Critical Flaw in Android Mediaserver

Google on Monday released the latest set of updates for its Android operating system (OS), including fixes for five critical security vulnerabilities found in the popular mobile OS.

Google on Monday released the latest set of updates for its Android operating system (OS), including fixes for five critical security vulnerabilities found in the popular mobile OS.

The January 2016 Nexus Security Bulletin resolves 12 security flaws in the mobile operating system, including two rated high risk and five moderate, in addition to the five rated as critical.

The most severe of the newly fixed bugs in Android is a remote code execution (RCE) vulnerability in Mediaserver, which could allow an attacker to cause memory corruption and remote code execution during media file and data processing of a specially crafted file. The issue has received the Common Vulnerability and Exposures ID (CVE) CVE-2015-6636 and affects Android 5.0, 5.1.1, 6.0, and 6.0.1 versions.

The mediaserver service has access to audio and video streams and privileges unavailable for third-party apps and is provided as a core part of Android with multiple applications being able to reach it with remote content, including MMS and browser playback of media. The issue was discovered by Google’s employees and builds LMY49F or later and Android 6.0 with Security Patch Level of January 1, 2016 or later address it.

The vulnerability appears to be similar in scope to the “Stagefright” vulnerability that was disclosed in July 2015, which affected nearly one billion Android devices. Google’s initial patch did not properly address the mediaserver service flaw.

Google committed to releasing monthly security fixes for the Android platform in August 2015. In September, a Stagefright exploit was released and Google patched a Stagefright 2.0 vulnerability in October, after it was discovered to affect the same libraries as the original issue.

Google’s latest Nexus Security Bulletin also resolves an elevation of privilege (EoP) flaw in the misc-sd driver from MediaTek (CVE-2015-6637) and an EoP issue in a kernel driver from Imagination Technologies (CVE-2015-6638), which could allow local malicious applications execute arbitrary code within the kernel, both rated critical.

The new set of security updates also resolves two critical EoP vulnerabilities in the Widevine QSEE TrustZone application (CVE-2015-6639 and CVE-2015-6647) that could enable a compromise, privileged application with access to QSEECOM to execute arbitrary code in the Trustzone context. Additionally, it patches a critical EoP in the kernel (CVE-2015-6640) that could enable a local malicious application to execute arbitrary code in the kernel.

The Security Bulletin fixes two flaws rated high risk, namely an EoP in the Bluetooth component (CVE-2015-6641) that could enable a remote device paired over Bluetooth to gain access to user’s contacts, and an information disclosure vulnerability in the kernel (CVE-2015-6642) that could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. Successful exploits could gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, Google said.

The five medium risk vulnerabilities resolved in the new set of patches include an EoP in Setup Wizard (CVE-2015-6643), which requires physical access to the device; an EoP in Wi-Fi (CVE-2015-5310), which could allow access to Wi-Fi service related information; an information disclosure vulnerability in Bouncy Castle (CVE-2015-6644); and a denial of service vulnerability in the SyncManager (CVE-2015-6645). The patch also reduces attack surface exposure on Nexus devices (CVE-2015-6646) by removing SysV IPC from the OS.

Google said its partners were notified on the issues about a month ago, while the source code for these patches will be released in Android Open Source Project (AOSP) repository within the next couple of days.

Last month, Google resolved 19 security vulnerabilities in the Android platform, five rated critical (), the most severe of which was also related to the mediaserver process. The company’s manufacturing partners have also started to adhere to the monthly cycle of security updates, including Samsung and BlackBerry, the latter releasing the first such set of patches on Dec. 1, 2015.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.