Another month, another patching cycle for Android. Google's mobile OS has picked up seven critical patches, ten classed as high priority, and a pair of moderately important fixes.
In short, playing back a booby-trapped video or receiving a message with malware hidden in it could lead to malicious code running on a vulnerable Android device that hasn't been patched.
"We have had no reports of active customer exploitation of these newly reported issues," the March advisory states.
"Partners were notified about the issues described in the bulletin on February 1, 2016 or earlier. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours."
Most of the critical flaws were found by Google's internal security team, and nearly half deal with programming blunders in Android's Swiss-cheese-like mediaserver library, some directly and some indirectly via libvpx.
Being able to inject malware into mediaserver, via a message or video, is bad because, according to Google, "the mediaserver service has access to audio and video streams as well as access to privileges that third-party apps could not normally access."
A critical flaw in Qualcomm's implementation on Android would also lead to a permanent root that would require re-flashing the operating system to fix. The same drastic fix would also be needed if the kernel keyring component flaw isn't fixed.
Meanwhile, moves to strengthen Android against the attacks involving libstagefright only get a high severity rating, as do yet more fixes for Mediaserver. The full list of bugs – some reaching as far back as Android 4.4 as well as versions 5 and 6 – are below:
|Remote Code Execution Vulnerability in Mediaserver||CVE-2016-0815, CVE-2016-0816||Critical|
|Remote Code Execution Vulnerabilities in libvpx||CVE-2016-1621||Critical|
|Elevation of Privilege in Conscrypt||CVE-2016-0818||Critical|
|Elevation of Privilege Vulnerability in the Qualcomm Performance Component||CVE-2016-0819||Critical|
|Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver||CVE-2016-0820||Critical|
|Elevation of Privilege Vulnerability in Keyring Component||CVE-2016-0728||Critical|
|Mitigation Bypass Vulnerability in the Kernel||CVE-2016-0821||High|
|Elevation of Privilege in MediaTek Connectivity Driver||CVE-2016-0822||High|
|Information Disclosure Vulnerability in Kernel||CVE-2016-0823||High|
|Information Disclosure Vulnerability in libstagefright||CVE-2016-0824||High|
|Information Disclosure Vulnerability in Widevine||CVE-2016-0825||High|
|Elevation of Privilege Vulnerability in Mediaserver||CVE-2016-0826, CVE-2016-0827||High|
|Information Disclosure Vulnerability in Mediaserver||CVE-2016-0828, CVE-2016-0829||High|
|Remote Denial of Service Vulnerability in Bluetooth||CVE-2016-0830||High|
|Information Disclosure Vulnerability in Telephony||CVE-2016-0831||Moderate|
|Elevation of Privilege Vulnerability in Setup Wizard||CVE-2016-0832||Moderate|
The vast majority of Android users aren't going to be getting these updates soon enough, however. Nexus owners will get a push this week, and Samsung's better than most at pushing out fixes, but some other handset owners may carry these flaws until they upgrade their hardware.
In the meantime, the malware writers will be getting busy reverse-engineering the Android patches and designing code to exploit the flaws. In the PC sphere this can take as little as 48 hours, although for mobile it's taking a little longer. ®