Just like clockwork, Google has released a new Android monthly security bulletin for its Nexus devices, and this one contains 19 bugs, of which 5 are critical, 12 are high, and 2 have a moderate severity level.
The security update is for Android builds LMY48Z or later and Android Marshmallow. These updates will be delivered over the air to all Nexus devices in the next 48 hours. Updated Nexus firmware images have also been released on the Google Developer portal.
"The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," says Google, referring to CVE-2015-6616, a bug in Android's mediaserver component.
The other bugs labeled as critical affect Android's Skia graphics engine (RCE), the display driver (RCE), and an elevation of privileges in the kernel itself. All the security bugs rated as critical have been discovered internally, by Google's security team.
No vulnerabilities have been used in real-world attacks
The other reported bugs fix remote code execution, information disclosure, and elevation of privilege vulnerabilities, in components like libstagefright, the System Server, the SystemUI, Media Framework, Native Frameworks Library, Bluetooth, Audio, and Wi-Fi.
The company also reports that its security specialists have not detected any of the bugs as part of any real-world attacks.
Issue | CVE | Severity |
---|---|---|
Remote Code Execution Vulnerability in Mediaserver | CVE-2015-6616 | Critical |
Remote Code Execution Vulnerability in Skia | CVE-2015-6617 | Critical |
Elevation of Privilege in Kernel | CVE-2015-6619 | Critical |
Remote Code Execution Vulnerabilities in Display Driver | CVE-2015-6633 CVE-2015-6634 |
Critical |
Remote Code Execution Vulnerability in Bluetooth | CVE-2015-6618 | High |
Elevation of Privilege Vulnerabilities in libstagefright | CVE-2015-6620 | High |
Elevation of Privilege Vulnerability in SystemUI | CVE-2015-6621 | High |
Elevation of Privilege Vulnerability in Native Frameworks Library | CVE-2015-6622 | High |
Elevation of Privilege Vulnerability in Wi-Fi | CVE-2015-6623 | High |
Elevation of Privilege Vulnerability in System Server | CVE-2015-6624 | High |
Information Disclosure Vulnerabilities in libstagefright | CVE-2015-6626 CVE-2015-6631 CVE-2015-6632 |
High |
Information Disclosure Vulnerability in Audio | CVE-2015-6627 | High |
Information Disclosure Vulnerability in Media Framework | CVE-2015-6628 | High |
Information Disclosure Vulnerability in Wi-Fi | CVE-2015-6629 | High |
Elevation of Privilege Vulnerability in System Server | CVE-2015-6625 | Moderate |
Information Disclosure Vulnerability in SystemUI | CVE-2015-6630 | Moderate |