Since last summer’s Stagefright vulnerabilities toppled the Android world for a few weeks, researchers inside and out of Google have been taking a close look at not only the maligned media playback engine, but also at Mediaserver where it lives.
Today’s release of the monthly Android Nexus Security Bulletin includes patches for another critical vulnerability in Mediaserver, keeping a streak going of consecutive months with serious issues addressed in the software.
Flaws in Mediaserver pose serious problems for Android devices because it interacts with a number of applications that can be used to exploit the bug, including MMS and browser media playback features. Versions 5.0, 5.1.1, 6.0 and 6.0.1 are affected, Google said.
Google said in today’s advisory that the Mediaserver flaw, CVE-2015-6636, is the most serious among the dozen being patched, and that it allows an attacker to use email, web browsing MMS processing of media files to exploit the vulnerability and remotely execute code.
“During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process,” Google said.
Google patched five vulnerabilities, including Mediaserver, that it rated critical, two rated high, and five others rated moderate.
The remaining critical flaws were all elevation of privilege issues in the misc-sd driver, the Imagination Technologies driver, Trustzone, the Android kernel and in the Bluetooth implementation.
The misc-sd driver and Imagination Technologies driver issues could malicious apps downloaded to the device to execute code at kernel level, and could result in a permanent compromise that would be addressed only by re-flashing the operating system, Google said.
The Trustzone vulnerabilities were found in the Widevine QSEE Trustzone application and would allow the compromise of apps with access to the QSEECOM to execute code in the Trustzone context, Google said.
A separate elevation of privilege issue was found in the kernel that would also open the door to malicious apps executing code in the kernel.
Of the two flaws rated High by Google, the one found in the Android Bluetooth component puts personal information at risk. It, Google said, could allow a device paired over Bluetooth to access personal information such as contacts.
The other rated high is an information disclosure vulnerability in the kernel that could allow an attacker to bypass security features in the operating system. Google added the flaws could be used to gain elevated privileges such as Signature or SignatureOrSystem.
The remaining vulnerabilities addressed today were rated moderate and include elevation of privilege flaws in the Android Setup Wizard and Wi-Fi, an information disclosure bug in Bouncy Castle crypto APIs, and a denial-of-service flaw in SyncManager.
Google also removed SysV IPC from Android because it is not supported in the OS and exposes additional attack surface.