Google has patched seven of its code execution vulnerabilities in which two of them were rated critical, while four were high and one was moderate. This was the fourth round of Android patching since August this year.
Two flaws, which give attackers remote code execution, that were rated critical include libutils (CVE-2015-6609) and mediaserver (CVE-2015-6608) holes. The holes can be exploited by sending crafted media files to the affected devices.
Google informed their “partners’ about the patch on October 5, and the patch code is set to be available on Nexus, Samsung, and Android Open Source Project, but it will be first available for its latest Marshmallow Android operating system.
In its advisory Google said that, "The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."
"During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media."
Privilege elevation bug is solved in libstagefright library which was separate from StageFright vulnerabilities reported by Zimperium researcher Joshua Drake earlier this year.
Vulnerabilities in Bluetooth (CVE-2015-6613), the mediaserver (CVE-2015-6611), the telephone app (CVE-2015-6614), and libmedia (CVE-2015-6612) were also patched.
Google says “exploitation is made harder on the security-improved Marshmallow Android platform.
Two flaws, which give attackers remote code execution, that were rated critical include libutils (CVE-2015-6609) and mediaserver (CVE-2015-6608) holes. The holes can be exploited by sending crafted media files to the affected devices.
Google informed their “partners’ about the patch on October 5, and the patch code is set to be available on Nexus, Samsung, and Android Open Source Project, but it will be first available for its latest Marshmallow Android operating system.
In its advisory Google said that, "The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."
"During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media."
Privilege elevation bug is solved in libstagefright library which was separate from StageFright vulnerabilities reported by Zimperium researcher Joshua Drake earlier this year.
Vulnerabilities in Bluetooth (CVE-2015-6613), the mediaserver (CVE-2015-6611), the telephone app (CVE-2015-6614), and libmedia (CVE-2015-6612) were also patched.
Google says “exploitation is made harder on the security-improved Marshmallow Android platform.
Issue
|
CVE
|
Severity
|
Remote Code Execution Vulnerabilities in Mediaserver
|
CVE-2015-6608
|
Critical
|
Remote Code Execution Vulnerability in libutils
|
CVE-2015-6609
|
Critical
|
Information Disclosure Vulnerabilities in Mediaserver
|
CVE-2015-6611
|
High
|
Elevation of Privilege Vulnerability in libstagefright
|
CVE-2015-6610
|
High
|
Elevation of Privilege Vulnerability in libmedia
|
CVE-2015-6612
|
High
|
Elevation of Privilege Vulnerability in Bluetooth
|
CVE-2015-6613
|
High
|
Elevation of Privilege Vulnerability in Telephony
|
CVE-2015-6614
|
Moderate
|