Google has released new firmware images for its Nexus devices that address a dozen vulnerabilities, including critical flaws affecting its Mediaserver component and a wifi driver from Broadcom.
Google says the most serious issue in its February update for Android are two critical flaws affecting Mediaserver, which “could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files”.
Mediaserver was one of the main components vulnerable to the Stagefright bugs that Google initially fixed last August. So far, all seven updates since Google launched monthly Android patching have fixed critical flaws in Mediaserver.
A second pair of remote execution bug affects the Broadcom wi-fi driver in Nexus devices and could allow an attacker on the same wi-fi network to gain control of a target’s device by sending specially crafted wireless control message packets to corrupt kernel memory.
The updates for Android Lollipop 5.1 (builds LMY49G or later) and Android Marshmallow introduce Security Patch Level of February 1, 2016. The patched firmware is available from Google’s developer site but it’s also going out as an over-the-air update today to Nexus 5X, Nexus 6P, Nexus 6, Nexus 5, Nexus 4, Nexus 7, Nexus 9, and Nexus 10 devices.
Notably, one of the Mediaserver bugs also affects Android KitKat 4.4.4, which doesn’t present a risk for Nexus users that have updated to a new version, but likely will mean a host of mid-range devices from Samsung, LG, HTC and Sony that are stuck on the KitKat or earlier.
At the beginning of January 36 percent of the world’s Android handsets were running KitKat and a further 24 percent were running the earlier Jelly Bean.
The February patch should be rolling out to flagship devices from Android handset makers over the coming weeks. Google said it notified Android partners on or before January 4.
Samsung, which has followed Google’s lead on monthly patching, rolled out its January security fixes last week, nearly a month after Google released its fixes, though Samsung addressed a number of bugs that were specific to its Galaxy devices.
In total, the February Android security update addresses 12 vulnerabilities. Google has rated seven of them “critical”, four “high severity” and two “moderate”.
The other critical bugs include issues affecting the performance event manager component for Qualcomm ARM processor, a bug in the Qualcomm wi-fi driver, and a vulnerability in the Debuggerd component. All three however are vulnerable to a local attack as opposed to the Broadcom and Mediaserver issues, which can be exploited remotely.
Google revealed last week that it by the end of 2015 it had paid out $200,0000 to researchers since launching its Android Nexus bug bounty last June.
Participate in CSO and Gigamon's survey on Security Priorities today!
Go into the draw for a chance to win an Apple iWatch Sports or the equivalent of $500 Visa Cashcard.
For full terms and conditions click here.