Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches Critical Vulnerabilities in Android

Google has patched another series of Critical vulnerabilities in Android, including a remote code execution (RCE) flaw in mediaserver and several elevation of privilege (EoP) issues in various drivers and components.

Google has patched another series of Critical vulnerabilities in Android, including a remote code execution (RCE) flaw in mediaserver and several elevation of privilege (EoP) issues in various drivers and components.

The Internet giant included 16 security patches for 19 vulnerabilities in this month’s Nexus Security Bulletin, which is the eighth monthly update coming from the company since the Stagefright flaw was discovered in July last year to affect nearly 1 billion devices.

The Security Bulletin reveals that seven of these vulnerabilities were rated Critical, ten were rated High, and two Moderate. While many of these flaws were EoP issues, Google also resolved information disclosure bugs in the mobile OS, along with a mitigation bypass vulnerability, and a remote denial of service flaw.

Fortunately, Google said it has not had any reports of active customer exploitation of the newly patched vulnerabilities.

The new set of security updates for Android once again resolves vulnerabilities in mediaserver, the platform component that was affected by Stagefright and Stagefright 2.0 last year. This month, Google patched two RCE issues in it (CVE-2016-0815 and CVE-2016-0816), which could be exploited during the processing of a specially crafted media file, and which affect Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1.

Google also patched 4 EoP flaws affecting Conscrypt (CVE-2016-0818), the Qualcomm Performance Component (CVE-2016-0819), MediaTek Wi-Fi Driver (CVE-2016-0820), and Keyring Component (CVE-2016-0728). The issue with the MediaTek Wi-Fi Kernel Driver affects Android 6.0.1, while the other three were found in Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1.

The vulnerability in Conscrypt could allow a specific type of invalid certificate, issued by an intermediate Certificate Authority (CA), to be incorrectly trusted, which may enable a man in the middle attack. The other three could enable a local malicious application to execute arbitrary code within the kernel, with CVE-2016-0819 and CVE-2016-0728 possibly resulting in permanent device compromise.

Of the 10 High risk flaws resolved in the March Nexus Security Bulletin, one is a mitigation bypass vulnerability in the kernel (CVE-2016-0821), one a remote denial of service bug in Bluetooth (CVE-2016-0830), one EoP issue in MediaTek connectivity driver (CVE-2016-0822), and two EoP flaws in mediaserver (CVE-2016-0826 and CVE-2016-0827).

Google also patched information disclosure vulnerabilities in kernel (CVE-2016-0823), libstagefright (CVE-2016-0824), Widevine (CVE-2016-0825), and mediaserver (CVE-2016-0828 and CVE-2016-0829). Most of these flaws affect Android 6.0 and 6.0.1 releases, but the ones in mediaserver were found in all Android versions starting with 4.4.4.

All of these issues have been addressed in Android Build LMY49H or later and Android 6.0 with Security Patch Level of March 1, 2016 or later, Google notes. The company notified its partners on these issues on February 1, 2016 or earlier and plans on publishing the source code patches for these issues to the Android Open Source Project (AOSP) repository in the next couple of days.

In August 2015, Google committed to regular, monthly updates for Nexus devices, and partner manufacturers such as Samsung and BlackBerry also announced plans to follow Google’s footsteps.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.