Google has fixed 12 security bugs in its Android source code – including five that would allow miscreants to achieve remote code execution or root access.
The Mountain View giant said its January Android security update includes patches for five CVE-listed security vulnerabilities it rates as "critical" risks, two considered "high" security risks, and five flaws rated as "moderate." The upgrade is being pushed to Nexus gadgets as over-the-air downloads – so check for updates and eventually they will arrive and install.
The security blunders – listed below – are present in various versions of Android, from 4.4 (aka KitKat) to 6 (aka Marshmallow).
|Remote Code Execution Vulnerability in Media Server||CVE-2015-6636||Critical|
|Elevation of Privilege Vulnerability in misc-sd driver||CVE-2015-6637||Critical|
|Elevation of Privilege Vulnerability in the Imagination Technologies driver||CVE-2015-6638||Critical|
|Elevation of Privilege Vulnerabilities in Trust Zone||CVE-2015-6639||Critical|
|Elevation of Privilege Vulnerability in Kernel||CVE-2015-6640||Critical|
|Elevation of Privilege Vulnerability in Bluetooth||CVE-2015-6641||High|
|Information Disclosure Vulnerability in Kernel||CVE-2015-6642||High|
|Elevation of Privilege Vulnerability in Setup Wizard||CVE-2015-6643||Moderate|
|Elevation of Privilege Vulnerability in Wi-Fi||CVE-2015-5310||Moderate|
|Information Disclosure Vulnerability in Bouncy Castle||CVE-2015-6644||Moderate|
|Denial of Service Vulnerability in SyncManager||CVE-2015-6645||Moderate|
|Attack Surface Reduction for Nexus Kernels||CVE-2015-6646||Moderate|
The five critical bugs include one remote code execution flaw (CVE-2015-6636) in which an attacker can inject malware into a device by way of a memory corruption error in Media Server. That flaw can be exploited with the use of a malformed media file included in a web page, email, or MMS message sent to the target.
The other four critical bugs all concern elevation of privilege flaws that could be exploited to root a device. An application already installed on the device could possibly exploit one of the four flaws to bypass Android security protections on third-party apps. Should such an exploit occur, the only way to remove the app would be by reflashing the operating system.
The remaining updates consist of three elevation of privilege vulnerabilities, two information disclosure flaws, one denial of service vulnerability and one "attack surface reduction" fix that deletes an unused component in the Android kernel.
Google itself is only releasing updates for its Nexus devices. Other Android handsets and tablets will have to be updated by their respective vendors and carriers, so you'll have to wait for them to get round to it. Google said it sent out the updates to all of its Android partners back on December 7.
The web goliath added:
We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. The Nexus firmware images have also been released to the Google Developer site. Builds LMY49F or later and Android 6.0 with Security Patch Level of January 1, 2016 or later address these issues. Refer to the Common Questions and Answers section for more details.
The Chocolate Factory will publish its patches on its Android Open Source Platform repository within the next couple of days.
It also points out that its operating system has some defenses built in to block malware trying to exploit these holes: for example, Google Hangouts and Messenger do not automatically pass potentially booby-trapped media to bug-riddled mediaserver. ®