Google splats more bad Android security bugs with patches your mobe will probably never see

Good news if you've got a Nexus, otherwise you're at risk

Another month, another patching cycle for Android. Google's mobile OS has picked up seven critical patches, ten classed as high priority, and a pair of moderately important fixes.

In short, playing back a booby-trapped video or receiving a message with malware hidden in it could lead to malicious code running on a vulnerable Android device that hasn't been patched.

"We have had no reports of active customer exploitation of these newly reported issues," the March advisory states.

"Partners were notified about the issues described in the bulletin on February 1, 2016 or earlier. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours."

Most of the critical flaws were found by Google's internal security team, and nearly half deal with programming blunders in Android's Swiss-cheese-like mediaserver library, some directly and some indirectly via libvpx.

Being able to inject malware into mediaserver, via a message or video, is bad because, according to Google, "the mediaserver service has access to audio and video streams as well as access to privileges that third-party apps could not normally access."

A critical flaw in Qualcomm's implementation on Android would also lead to a permanent root that would require re-flashing the operating system to fix. The same drastic fix would also be needed if the kernel keyring component flaw isn't fixed.

Meanwhile, moves to strengthen Android against the attacks involving libstagefright only get a high severity rating, as do yet more fixes for Mediaserver. The full list of bugs – some reaching as far back as Android 4.4 as well as versions 5 and 6 – are below:

Issue CVE Severity
Remote Code Execution Vulnerability in Mediaserver CVE-2016-0815, CVE-2016-0816 Critical
Remote Code Execution Vulnerabilities in libvpx CVE-2016-1621 Critical
Elevation of Privilege in Conscrypt CVE-2016-0818 Critical
Elevation of Privilege Vulnerability in the Qualcomm Performance Component CVE-2016-0819 Critical
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver CVE-2016-0820 Critical
Elevation of Privilege Vulnerability in Keyring Component CVE-2016-0728 Critical
Mitigation Bypass Vulnerability in the Kernel CVE-2016-0821 High
Elevation of Privilege in MediaTek Connectivity Driver CVE-2016-0822 High
Information Disclosure Vulnerability in Kernel CVE-2016-0823 High
Information Disclosure Vulnerability in libstagefright CVE-2016-0824 High
Information Disclosure Vulnerability in Widevine CVE-2016-0825 High
Elevation of Privilege Vulnerability in Mediaserver CVE-2016-0826, CVE-2016-0827 High
Information Disclosure Vulnerability in Mediaserver CVE-2016-0828, CVE-2016-0829 High
Remote Denial of Service Vulnerability in Bluetooth CVE-2016-0830 High
Information Disclosure Vulnerability in Telephony CVE-2016-0831 Moderate
Elevation of Privilege Vulnerability in Setup Wizard CVE-2016-0832 Moderate

The vast majority of Android users aren't going to be getting these updates soon enough, however. Nexus owners will get a push this week, and Samsung's better than most at pushing out fixes, but some other handset owners may carry these flaws until they upgrade their hardware.

In the meantime, the malware writers will be getting busy reverse-engineering the Android patches and designing code to exploit the flaws. In the PC sphere this can take as little as 48 hours, although for mobile it's taking a little longer. ®

Keep Reading

Biting the hand that feeds IT © 1998–2021