Got a Nexus? Google has five critical Android security fixes for you

Have any other Android device? You've got five new gaping holes


Google has fixed 12 security bugs in its Android source code – including five that would allow miscreants to achieve remote code execution or root access.

The Mountain View giant said its January Android security update includes patches for five CVE-listed security vulnerabilities it rates as "critical" risks, two considered "high" security risks, and five flaws rated as "moderate." The upgrade is being pushed to Nexus gadgets as over-the-air downloads – so check for updates and eventually they will arrive and install.

The security blunders – listed below – are present in various versions of Android, from 4.4 (aka KitKat) to 6 (aka Marshmallow).

Issue CVE Severity
Remote Code Execution Vulnerability in Media Server CVE-2015-6636 Critical
Elevation of Privilege Vulnerability in misc-sd driver CVE-2015-6637 Critical
Elevation of Privilege Vulnerability in the Imagination Technologies driver CVE-2015-6638 Critical
Elevation of Privilege Vulnerabilities in Trust Zone CVE-2015-6639 Critical
Elevation of Privilege Vulnerability in Kernel CVE-2015-6640 Critical
Elevation of Privilege Vulnerability in Bluetooth CVE-2015-6641 High
Information Disclosure Vulnerability in Kernel CVE-2015-6642 High
Elevation of Privilege Vulnerability in Setup Wizard CVE-2015-6643 Moderate
Elevation of Privilege Vulnerability in Wi-Fi CVE-2015-5310 Moderate
Information Disclosure Vulnerability in Bouncy Castle CVE-2015-6644 Moderate
Denial of Service Vulnerability in SyncManager CVE-2015-6645 Moderate
Attack Surface Reduction for Nexus Kernels CVE-2015-6646 Moderate

The five critical bugs include one remote code execution flaw (CVE-2015-6636) in which an attacker can inject malware into a device by way of a memory corruption error in Media Server. That flaw can be exploited with the use of a malformed media file included in a web page, email, or MMS message sent to the target.

The other four critical bugs all concern elevation of privilege flaws that could be exploited to root a device. An application already installed on the device could possibly exploit one of the four flaws to bypass Android security protections on third-party apps. Should such an exploit occur, the only way to remove the app would be by reflashing the operating system.

The remaining updates consist of three elevation of privilege vulnerabilities, two information disclosure flaws, one denial of service vulnerability and one "attack surface reduction" fix that deletes an unused component in the Android kernel.

Google itself is only releasing updates for its Nexus devices. Other Android handsets and tablets will have to be updated by their respective vendors and carriers, so you'll have to wait for them to get round to it. Google said it sent out the updates to all of its Android partners back on December 7.

The web goliath added:

We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. The Nexus firmware images have also been released to the Google Developer site. Builds LMY49F or later and Android 6.0 with Security Patch Level of January 1, 2016 or later address these issues. Refer to the Common Questions and Answers section for more details.

The Chocolate Factory will publish its patches on its Android Open Source Platform repository within the next couple of days.

It also points out that its operating system has some defenses built in to block malware trying to exploit these holes: for example, Google Hangouts and Messenger do not automatically pass potentially booby-trapped media to bug-riddled mediaserver. ®


Other stories you might like

  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading

Biting the hand that feeds IT © 1998–2022