Got a Nexus? Google has five critical Android security fixes for you

Have any other Android device? You've got five new gaping holes

47 Reg comments Got Tips?

Google has fixed 12 security bugs in its Android source code – including five that would allow miscreants to achieve remote code execution or root access.

The Mountain View giant said its January Android security update includes patches for five CVE-listed security vulnerabilities it rates as "critical" risks, two considered "high" security risks, and five flaws rated as "moderate." The upgrade is being pushed to Nexus gadgets as over-the-air downloads – so check for updates and eventually they will arrive and install.

The security blunders – listed below – are present in various versions of Android, from 4.4 (aka KitKat) to 6 (aka Marshmallow).

Issue CVE Severity
Remote Code Execution Vulnerability in Media Server CVE-2015-6636 Critical
Elevation of Privilege Vulnerability in misc-sd driver CVE-2015-6637 Critical
Elevation of Privilege Vulnerability in the Imagination Technologies driver CVE-2015-6638 Critical
Elevation of Privilege Vulnerabilities in Trust Zone CVE-2015-6639 Critical
Elevation of Privilege Vulnerability in Kernel CVE-2015-6640 Critical
Elevation of Privilege Vulnerability in Bluetooth CVE-2015-6641 High
Information Disclosure Vulnerability in Kernel CVE-2015-6642 High
Elevation of Privilege Vulnerability in Setup Wizard CVE-2015-6643 Moderate
Elevation of Privilege Vulnerability in Wi-Fi CVE-2015-5310 Moderate
Information Disclosure Vulnerability in Bouncy Castle CVE-2015-6644 Moderate
Denial of Service Vulnerability in SyncManager CVE-2015-6645 Moderate
Attack Surface Reduction for Nexus Kernels CVE-2015-6646 Moderate

The five critical bugs include one remote code execution flaw (CVE-2015-6636) in which an attacker can inject malware into a device by way of a memory corruption error in Media Server. That flaw can be exploited with the use of a malformed media file included in a web page, email, or MMS message sent to the target.

The other four critical bugs all concern elevation of privilege flaws that could be exploited to root a device. An application already installed on the device could possibly exploit one of the four flaws to bypass Android security protections on third-party apps. Should such an exploit occur, the only way to remove the app would be by reflashing the operating system.

The remaining updates consist of three elevation of privilege vulnerabilities, two information disclosure flaws, one denial of service vulnerability and one "attack surface reduction" fix that deletes an unused component in the Android kernel.

Google itself is only releasing updates for its Nexus devices. Other Android handsets and tablets will have to be updated by their respective vendors and carriers, so you'll have to wait for them to get round to it. Google said it sent out the updates to all of its Android partners back on December 7.

The web goliath added:

We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. The Nexus firmware images have also been released to the Google Developer site. Builds LMY49F or later and Android 6.0 with Security Patch Level of January 1, 2016 or later address these issues. Refer to the Common Questions and Answers section for more details.

The Chocolate Factory will publish its patches on its Android Open Source Platform repository within the next couple of days.

It also points out that its operating system has some defenses built in to block malware trying to exploit these holes: for example, Google Hangouts and Messenger do not automatically pass potentially booby-trapped media to bug-riddled mediaserver. ®


Biting the hand that feeds IT © 1998–2020