Menu
Google patches critical media processing and rooting vulnerabilities in Android

Google patches critical media processing and rooting vulnerabilities in Android

The flaws can be exploited remotely through emails, Web pages, MMS and rogue apps

Google has released a new batch of security fixes for its Nexus smartphones and tablets, addressing flaws that could allow attackers to compromise the Android devices via rogue emails, Web pages, and MMS messages.

Firmware updates are being rolled out to supported Nexus devices as an over-the-air update and the patches will be added the Android Open Source Project (AOSP) over the next 48 hours. Builds LMY48Z and Android Marshmallow with a Dec. 1, 2015, Security Patch Level contain these fixes, Google said in its security bulletin.

The updates address five vulnerabilities rated as critical, 12 rated as high and two as moderate. A significant number of flaws were again located in the OS' media processing components, which handle audio and video file playback and corresponding file metadata parsing.

One of the critical vulnerabilities is located in mediaserver, a core part of the operating system, and can be exploited to execute arbitrary code with privileges that third-party applications are not supposed to have. Attackers can exploit the flaw remotely by tricking users into playing specifically crafted media files in their browsers or by sending them via multimedia message (MMS).

It's worth noting that Google has disabled automatic parsing of multimedia messages received in Google Hangouts and Messenger, the default messaging applications in Android.

Three other media processing vulnerabilities that can lead to remote code execution via email, Web browsing and MMS have been patched in the Skia graphics engine and the user mode display driver loaded by mediaserver.

The last critical vulnerability patched in this release is a privilege escalation flaw in the Android kernel. It potentially allows rogue applications to execute code as root, the highest privilege on the system.

This is the type of flaw that enables so-called Android rooting, which some enthusiasts use to gain complete control over their devices. But in the hands of malicious attackers, such a flaw can lead to a full and persistent device compromise that can only be fixed by re-flashing the operating system.

Additional privilege escalation flaws have been fixed in other components with this release, but they're rated only as high because they don't provide root access. They can, however, give rogue apps dangerous permissions that they shouldn't have.

Google recommends that users of older Android versions update to the latest one, if possible -- for example, if their device manufacturers provided updates. That's because newer versions of Android have security enhancements in place that can make exploitation of some vulnerabilities harder or impossible.

Google's security team also uses features like Verify Apps and SafetyNet to monitor for and block potentially harmful applications. For example, apps that use privilege escalation flaws to root devices are not allowed in Google Play and Verify Apps will block known rooting apps by default.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Show Comments