Google today patched two critical holes in its problematic Android Mediaserver component which would allow an attacker to use email, web browsing, and MMS processing of media files to remotely execute code. With this latest vulnerability, Google has patched its Mediaserver more than two dozen times since the Stagefright vulnerability was discovered in August.
The patch is part of Google’s monthly over-the-air security update for Android Nexus devices. In total, Google identified 16 vulnerabilities as part of this month’s Android Nexus Security Bulletin, of which six were rated as critical, eight as high and two as moderate. Google said a Nexus patch would be available within the next 48 hours and available at the Android Open Source Project repository. It says wireless carriers and device makers were made aware of the upcoming security bulletin on Feb. 1.
According to Google, the critical flaws could enable remote code execution on an affected device via email, web browsing, and MMS when processing media files. “During media file and data processing of a specially crafted file, vulnerabilities in Mediaserver could allow an attacker to cause memory corruption and remote code execution as the Mediaserver process,” wrote Google in its bulletin.
Along with the Mediaserver vulnerabilities (CVE-2016-0815 and CVE-2016-0816), Google identified a third Libvpx critical vulnerability (CVE-2016-1621) that’s also susceptible to remote code execution.
“On one hand, this type of functionality (Mediaserver) is known to have vulnerabilities. But knowing that, Google could do a much better job isolating this type of risky attack surface as well as making sure that the Mediaserver can be updated in an expedient manner,” said Jon Oberheide, co-founder and CTO, Duo Security. “Wireless carriers are notoriously slow when it comes to these type of out-of-band patches,” he said.
Google said Nexus device owners need to update Nexus firmware Builds LMY49H and later, and Android Marshmallow. Alternatively, Android users can check the firmware version on their devices to see if the updates have been applied along with verifying the date the latest Android security patch was installed.
As part of Google’s remediation efforts, it said the Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet which both warn users of potentially harmful applications about to be installed. Google said it was unaware of any attempts to exploit the listed vulnerabilities.
Google also said it was releasing patches critical privilege elevation vulnerability in the Android kernel. Vulnerabilities identified are a Conscrypt (CVE-2016-0818) and weaknesses found inside a Qualcomm performance component (CVE-2016-0819) and MediaTek’s Wi-Fi driver (CVE-2016-0820) and in device’s keyring component (CVE-2016-0728).