It's a new month, and as always, Google has published its monthly security update for the Android Open Source Project (AOSP). As our colleague reported yesterday, this month's security bulletin is already available for BlackBerry PRIV devices, and should shortly be available for Nexus handsets.
This time around, Google fixed 19 security issues, seven of which were critical issues, the highest level on the security severity scale a bug can have.
But as Google's engineers have admitted themselves, if they had to choose, they'd select CVE-2016-0815 and its companion, CVE-2016-0816, as the most severe bugs included in this release.
Both are vulnerabilities in the Android Mediaserver component, and if you've been following Android's security bulletins since September 2015, when Google launched them, then you'd know this is a lingering issue from the two Stagefright bugs that affected Android last year.
Google engineers are saying that the two bugs they've just fixed in Android's Mediaservice component, if left unattended, allow an attacker to craft a malicious multimedia file, which when received and (automatically) processed by an Android device leads to the execution of malicious code on the smartphone.
The two Mediaserver bugs are dangerous if left unpatched
The severity of this issue is better explained by Google's engineers, who are saying that "the mediaserver service has access to audio and video streams as well as access to privileges that third-party apps could not normally access."
Exploitation of this issue can give the attacker a far-reaching hand into the core of a victim's Android phone, just by sending an MMS, a photo via IM apps, or tricking the user into accessing a Web page holding a malicious image, audio, or video file.
The other issues fixed by Google's team are listed in the table below, along with their CVE identifiers.
Issue | CVE | Severity |
---|---|---|
Remote Code Execution Vulnerability in Mediaserver | CVE-2016-0815 CVE-2016-0816 |
Critical |
Remote Code Execution Vulnerabilities in libvpx | CVE-2016-1621 | Critical |
Elevation of Privilege in Conscrypt | CVE-2016-0818 | Critical |
Elevation of Privilege Vulnerability in the Qualcomm Performance Component |
CVE-2016-0819 | Critical |
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver | CVE-2016-0820 | Critical |
Elevation of Privilege Vulnerability in Keyring Component | CVE-2016-0728 | Critical |
Mitigation Bypass Vulnerability in the Kernel | CVE-2016-0821 | High |
Elevation of Privilege in MediaTek Connectivity Driver | CVE-2016-0822 | High |
Information Disclosure Vulnerability in Kernel | CVE-2016-0823 | High |
Information Disclosure Vulnerability in libstagefright | CVE-2016-0824 | High |
Information Disclosure Vulnerability in Widevine | CVE-2016-0825 | High |
Elevation of Privilege Vulnerability in Mediaserver | CVE-2016-0826 CVE-2016-0827 |
High |
Information Disclosure Vulnerability in Mediaserver | CVE-2016-0828 CVE-2016-0829 |
High |
Remote Denial of Service Vulnerability in Bluetooth | CVE-2016-0830 | High |
Information Disclosure Vulnerability in Telephony | CVE-2016-0831 | Moderate |
Elevation of Privilege Vulnerability in Setup Wizard | CVE-2016-0832 | Moderate |