Google fixes 19 bugs in monthly Android security bulletin

Mar 8, 2016 10:00 GMT  ·  By

It's a new month, and as always, Google has published its monthly security update for the Android Open Source Project (AOSP). As our colleague reported yesterday, this month's security bulletin is already available for BlackBerry PRIV devices, and should shortly be available for Nexus handsets.

This time around, Google fixed 19 security issues, seven of which were critical issues, the highest level on the security severity scale a bug can have.

But as Google's engineers have admitted themselves, if they had to choose, they'd select CVE-2016-0815 and its companion, CVE-2016-0816, as the most severe bugs included in this release.

Both are vulnerabilities in the Android Mediaserver component, and if you've been following Android's security bulletins since September 2015, when Google launched them, then you'd know this is a lingering issue from the two Stagefright bugs that affected Android last year.

Google engineers are saying that the two bugs they've just fixed in Android's Mediaservice component, if left unattended, allow an attacker to craft a malicious multimedia file, which when received and (automatically) processed by an Android device leads to the execution of malicious code on the smartphone.

The two Mediaserver bugs are dangerous if left unpatched

The severity of this issue is better explained by Google's engineers, who are saying that "the mediaserver service has access to audio and video streams as well as access to privileges that third-party apps could not normally access."

Exploitation of this issue can give the attacker a far-reaching hand into the core of a victim's Android phone, just by sending an MMS, a photo via IM apps, or tricking the user into accessing a Web page holding a malicious image, audio, or video file.

The other issues fixed by Google's team are listed in the table below, along with their CVE identifiers.  

Issue CVE Severity
Remote Code Execution Vulnerability in Mediaserver CVE-2016-0815
CVE-2016-0816
Critical
Remote Code Execution Vulnerabilities in libvpx CVE-2016-1621 Critical
Elevation of Privilege in Conscrypt CVE-2016-0818 Critical
Elevation of Privilege Vulnerability in the Qualcomm
Performance Component
CVE-2016-0819 Critical
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver CVE-2016-0820 Critical
Elevation of Privilege Vulnerability in Keyring Component CVE-2016-0728 Critical
Mitigation Bypass Vulnerability in the Kernel CVE-2016-0821 High
Elevation of Privilege in MediaTek Connectivity Driver CVE-2016-0822 High
Information Disclosure Vulnerability in Kernel CVE-2016-0823 High
Information Disclosure Vulnerability in libstagefright CVE-2016-0824 High
Information Disclosure Vulnerability in Widevine CVE-2016-0825 High
Elevation of Privilege Vulnerability in Mediaserver CVE-2016-0826
CVE-2016-0827
High
Information Disclosure Vulnerability in Mediaserver CVE-2016-0828
CVE-2016-0829
High
Remote Denial of Service Vulnerability in Bluetooth CVE-2016-0830 High
Information Disclosure Vulnerability in Telephony CVE-2016-0831 Moderate
Elevation of Privilege Vulnerability in Setup Wizard CVE-2016-0832 Moderate