Google today pushed out its monthly Android patches, addressing what is becoming a monthly custom of a critical Mediaserver vulnerability, in addition to a half-dozen critical flaws in different Qualcomm drivers.
The Android Security Bulletin includes patches for eight critical flaws, and while Mediaserver has been a mainstay since Google began releasing patches on a regular monthly cycle, it does not get off lightly despite one critical patch. There are a dozen others rated high severity where remote attacks are more difficult or require user interaction, for example.
Qualcomm gear in Android, however, has been a focus lately as well for researchers. Last month, details about a flaw in Qualcomm’s Secure Execution Environment related to Mediaserver was disclosed; it put 60 percent of Android devices at risk before it was patched in January. The vulnerability impacts versions up to and including Marshmallow, and despite a patch being available for close to six months, it’s difficult to tell how many devices have actually been pushed a fix by their carrier or handset maker.
This month, a host of elevation of privilege vulnerabilities in Qualcomm drivers were patched that affect Nexus 5, 6 and 7 devices in some cases, Google said. For each of the six vulnerabilities affecting the Qualcomm Video Driver, Qualcomm Sound Driver, Qualcomm GPU Driver and Qualcomm Wi-Fi Driver, an attacker could use a malicious application to exploit the flaw and run code in the context of the kernel. Google warns that in each case, an exploit could brick an Android device, requiring that it be re-flashed.
All of today’s flaws were patched on Nexus devices in an over-the-air update, while Google said carriers and manufacturers were sent the updates on May 2. The Android Open Source Project (AOSP) is expected to be updated in the next two days.
The critical Mediaserver flaw exposes Android devices to remote code execution; an attacker can send a vulnerable devices a malicious media file that corrupts memory during processing of the file. Mediaserver was at the center of last summer’s Stagefright vulnerabilities and is particularly risky because it has system- and kernel-level privileges.
The dozen high-severity issues in Mediaserver, meanwhile, are also elevation of privilege flaws that can be exploited by a local malicious app to execute code. An attacker could use this flaw to gain Signature or SignatureOr System privileges, Google said.
The remaining critical patch addresses a remote code execution flaw in libwebm, an open media file format that is supported by most of the major browsers for video playback. An attacker can exploit this to run code remotely in the context of the Mediaserver process.
Google also patched high-severity elevation of privilege vulnerabilities in Qualcomm Sound Driver, Qualcomm Camera Driver, Qualcomm Video Driver, and Qualcomm Wi-Fi Driver, as well as in the Broadcom Wi-Fi Driver, NVIDIA Camera Driver, MediaTek Power Management Driver, and SD Card Emulation Layer.