Google patches RCE flaw in Mediaserver five months in a row. Google has just released the changelog of its most recent Android security bulletin, in which it fixed 12 bugs, five of which were labeled as of critical severity.
Ever since Google announced and started offering monthly security updates for Android, the company has been patching an RCE (Remote Code Execution) critical bug in its Mediaserver component every month. It did so in September (CVE-2015-3864), in October(15 bugs in libstagefright, part of Mediaserver), in November (CVE-2015-6608), December(CVE-2015-6616), and now in January (CVE-2015-6636).
Some (smart) users might say that it’s time for Google to rethink its Mediaserver component, especially since it was the origin point of the first two Stagefright vulnerabilities that affected over one billion devices, first in August, then in October.
Of course, bugs are often found in software products, but not with the frequency and severity at which security researchers are finding them in Android’s Mediaserver.
Since Google has announced plans to migrate Android’s code from Java to OpenJDK, this might be the perfect time to do so.
Latest Mediaserver RCE has shades of Stagerfight
This most recent issue affects only devices running Android 5.0 or higher, and Google says that “the affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.”
This means that, just like in Stagefright’s case, an attacker can craft a malicious image, audio, or video file, and send it via an MMS or stream via the user’s browser.
When this happens, exploiting a memory corruption bug, attackers can execute remote code on the device. Based on their skills in working with loopholes in Android’s system, they could take control of targeted devices.
Google’s own security researchers discovered this flaw, and the company said that it had not seen any attacks exploiting this new Mediaserver vulnerability. Below is the complete list of patched Android security issues.
|Remote Code Execution Vulnerability in Mediaserver||CVE-2015-6636||Critical|
|Elevation of Privilege Vulnerability in misc-sd driver||CVE-2015-6637||Critical|
|Elevation of Privilege Vulnerability in the Imagination Technologies driver||CVE-2015-6638||Critical|
|Elevation of Privilege Vulnerabilities in Trustzone||CVE-2015-6639||Critical|
|Elevation of Privilege Vulnerability in Kernel||CVE-2015-6640||Critical|
|Elevation of Privilege Vulnerability in Bluetooth||CVE-2015-6641||High|
|Information Disclosure Vulnerability in Kernel||CVE-2015-6642||High|
|Elevation of Privilege Vulnerability in Setup Wizard||CVE-2015-6643||Moderate|
|Elevation of Privilege Vulnerability in Wi-Fi||CVE-2015-5310||Moderate|
|Information Disclosure Vulnerability in Bouncy Castle||CVE-2015-6644||Moderate|
|Denial of Service Vulnerability in SyncManager||CVE-2015-6645||Moderate|
|Attack Surface Reduction for Nexus Kernels||CVE-2015-6646||Moderate|