Google has patched another critical Android vulnerability in Mediaserver, which has been maligned since this summer’s barrage of patches for the Stagefright vulnerability, along with a critical rooting vulnerability in the mobile operating system’s kernel.
In all, 19 vulnerabilities were patched in Monday’s monthly over-the-air security update for Google Nexus mobile devices, five rated critical, 12 rated high, and two rated moderate. The issues were resolved in Nexus firmware Builds LMY48Z and later, and Android Marshmallow. Google said that source code patches will be available within the Android Open Source Project repository within 48 hours.
The Mediaserver flaw, CVE-2015-6616, is the most serious, Google said, adding that four of the critical bugs can be exploited remotely.
“During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process,” Google said in its security bulletin. Mediaserver is a core component of the Android OS and it interacts with a number of applications that can be used to exploit the bug, including MMS and browser media playback features, Google said.
In November, Google patched another batch of Stagefright vulnerabilities living in Mediaserver; a separate critical vulnerability was also patched in the service. Yesterday’s update also included a patch for privilege elevation and information disclosure bugs in Stagefright that Google rated high severity. The privilege elevation bug could enable an attacker to gain Signature or SignatureOrSystem permissions that are accessible only locally, and not by third-party applications, while the information disclosure bug that happens during communication with Mediaserver and bypasses security measures in place, Google said.
Google also patched a critical privilege elevation vulnerability in the Android kernel. CVE-2015-06619. An attacker could use a malicious Android app to execute code at the root level, and could lead to “local permanent device compromise.” Google said in that case, a device would have to be re-flashed.
A remote code execution bug was also patched in the Android Skia Graphics Engine, CVE-2015-6617. An attacker could exploit this vulnerability via a number of different avenues, including email, web browsing and MMS when processing media files.
The remaining critical vulnerabilities were patched in Android display drivers, exploitable remotely via media file processing. Google said exploits could be carried out over MMS, email and browsing malicious content, and could lead to memory corruption and code execution.
Google also patched vulnerabilities in Bluetooth, SystemUI, Native Frameworks Library, Wi-Fi, System Server, Audio, and Media Framework that it rated high, and other flaws in System Server and SystemUI that were rated moderate.