Critical Android Vulnerabilities Patched

Tuesday, December 8, 2015 @ 04:12 PM gHale

Android’s security update pushed out to Nexus devices Monday and it contains fixes for 19 vulnerabilities, four of which are “critical.”

Among these is an elevation of privilege vulnerability (CVE-2015-6619) in the system kernel, which could end up exploited by a local malicious application to execute arbitrary code within the device root context.

Possible Backdoor on Android Devices
Unsupported ICS: Not an Easy Upgrade
Age of New and Different
German Steel Mill Attack: Inside Job

“This issue is rated as a critical severity due to the possibility of a local permanent device compromise and the device could only be repaired by re-flashing the operating system,” Google said.

The remaining three critical flaws, affecting mediaserver (CVE-2015-6616), the Skia component (CVE-2015-6617) and the user mode driver loaded by mediaserver (CVE-2015-6633, CVE-2015-6634), could also lead to remote code execution.

An attacker would only need to craft special media files and serve them to the user (i.e. the device) to trigger the exploitation of the flaws. This file could end up served via email, web browsing, and MMS.

The Google Chrome Security Team discovered the flaws and all affect Android version 6.0 (Marshmallow) and below.

“Partners were notified about and provided updates for these issues on November 2, 2015 or earlier. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours,” the company said, and added they “have had no reports of active customer exploitation of these newly reported issues.”