Google’s latest set of Nexus patches are rolling out now to resolve multiple Critical vulnerabilities in Android, including a series of remote code execution (RCE) flaws in the mediaserver component.
Since last July, when mobile security firm Zimperium revealed a series of critical RCE flaws in the Android Stagefright media playback engine, Google has been constantly struggling to patch similar issues. In October, as part of the over-the-air monthly updates rolling out to Nexus devices, the Internet giant patched a second Stagefright flaw.
Google continued to resolve vulnerabilities in Android’s mediaserver in subsequent monthly updates for the popular mobile operating system. An RCE issue was resolved in January, amid a total of 12 vulnerabilities in Android, and two more RCE flaws were patched last month, when Google fixed 16 security bugs in the platform.
The April 2016 Nexus Security Bulletin details 29 security patches, including one for an elevation of privilege (EoP) vulnerability that was fixed with an emergency security patch on March 18. The new round of security updates resolve a total of 39 vulnerabilities in Android, 15 of which are rated Critical, 16 High, and 8 Moderate.
The most important of these appear to be the seven RCE issues in mediaserver (CVE-2016-0835 to CVE-2016-0841), which impact Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1 releases. The flaws could be exploited during media file and data processing of a specially crafted file, and attacks can be performed via MMS, browser, and other applications.
Google’s April security bulletin also patches an RCE issue in Media Codec (CVE-2016-0834) and another one in libstagefright (CVE-2016-0842), both affecting Android 6.0 and Android 6.0.1 and both related to the media playback engine. In July, Zimperiu revealed that libstagefright include a Critical flow that affected over 950 million devices, yet Google didn’t patch it properly in the first place.
Other newly resolved Critical vulnerabilities also include two issues (CVE-2014-6060 and CVE-2016-1503) that affect the Dynamic Host Configuration Protocol (DHCP) service and which could result in RCE in the context of the DHCP client. The issues impact Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1.
The new set of security updates also patched three elevation of privilege flaws, one in Qualcomm Performance Module (CVE-2016-0843), affecting Android 4.4.4 to 6.0.1 releases, one in Qualcomm RF component (CVE-2016-0844), affecting Android 6.0 and 6.0.1, and another one in Kernel (CVE-2014-9322), affecting Android 6.0 and 6.0.1.
Most of the High severity vulnerabilities fixed in the April security bulletin are EoP bugs, affecting IMemory Native Interface, Telecom Component, Download Manager, Recovery Procedure, Bluetooth, Texas Instruments Haptic Driver, a Video Kernel Driver, Qualcomm Power Management Component, System_server, and Mediaserver. Google also resolved a denial of service issue in Minikin, and five information disclosure vulnerabilities, one in Exchange ActiveSync and four in Mediaserver.
According to Google, Nexus devices with Security Patch Levels of April 2, 2016 or later installed on them are protected from these flaws. Owners of Android devices coming from other manufacturers will have to wait a bit longer for these security updates to arrive, except for BlackBerry PRIV owners, who are already receiving them.
