Google Closes Six Critical Vulnerabilities in Android for Nexus Devices

Google has fixed six critical bugs in Android Open Source Project. The updated versions will be sent to all Nexus devices from Nexus 5 onwards via an over-the-air update. The most dangerous bug is again in the media server and can be executed via an infected file.

It is possible for an attacker to remotely execute code via email, the web browser or MMS when processing media files with this media server bug. Google writes in its Android Security Bulletin that there are as yet no reports of abuse of the found bugs. Details about these critical bugs with CVE numbers CVE-2016-2428 and -2429 have not yet been disclosed.

To exploit the bug, an infected media file, such as a video, must be submitted using one of the above methods. The method is reminiscent of the Stagefright bugs that plagued the Android world last year. The infected file then corrupts the memory, allowing remote code execution as a process from the media server.

The other five bugs identified as critical include the ability to run code within the Android debugger, the ability to get additional permissions through the Nvidia video driver, through a Qualcomm WiFi driver, within the Qualcomm TrustZone kernel and a vulnerability in the kernel with which extended access rights can also be obtained. In all cases it is possible to permanently take over a device, after which a device must be flashed again.

The entire list of forty patched bugs can be found on the Security Bulletin. The patches work for aosp version 4.4.4 or higher, which runs nearly 74 percent of all Android devices. Device manufacturers must process the patches in their versions of Android. Google will itself update Nexus devices from version 5 and higher.