Google Patches Android for Yet Another RCE Flaw in Its Mediaserver Component

Posted on

Google patches RCE flaw in Mediaserver five months in a row. Google has just released the changelog of its most recent Android security bulletin, in which it fixed 12 bugs, five of which were labeled as of critical severity.

Ever since Google announced and started offering monthly security updates for Android, the company has been patching an RCE (Remote Code Execution) critical bug in its Mediaserver component every month. It did so in September (CVE-2015-3864), in October(15 bugs in libstagefright, part of Mediaserver), in November (CVE-2015-6608), December(CVE-2015-6616), and now in January (CVE-2015-6636).

Some (smart) users might say that it’s time for Google to rethink its Mediaserver component, especially since it was the origin point of the first two Stagefright vulnerabilities that affected over one billion devices, first in August, then in October.

Of course, bugs are often found in software products, but not with the frequency and severity at which security researchers are finding them in Android’s Mediaserver.

Since Google has announced plans to migrate Android’s code from Java to OpenJDK, this might be the perfect time to do so.

Latest Mediaserver RCE has shades of Stagerfight

This most recent issue affects only devices running Android 5.0 or higher, and Google says that “the affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.”

This means that, just like in Stagefright’s case, an attacker can craft a malicious image, audio, or video file, and send it via an MMS or stream via the user’s browser.

When this happens, exploiting a memory corruption bug, attackers can execute remote code on the device. Based on their skills in working with loopholes in Android’s system, they could take control of targeted devices.

Google’s own security researchers discovered this flaw, and the company said that it had not seen any attacks exploiting this new Mediaserver vulnerability. Below is the complete list of patched Android security issues.

Issue CVE Severity
Remote Code Execution Vulnerability in Mediaserver CVE-2015-6636 Critical
Elevation of Privilege Vulnerability in misc-sd driver CVE-2015-6637 Critical
Elevation of Privilege Vulnerability in the Imagination Technologies driver CVE-2015-6638 Critical
Elevation of Privilege Vulnerabilities in Trustzone CVE-2015-6639 Critical
Elevation of Privilege Vulnerability in Kernel CVE-2015-6640 Critical
Elevation of Privilege Vulnerability in Bluetooth CVE-2015-6641 High
Information Disclosure Vulnerability in Kernel CVE-2015-6642 High
Elevation of Privilege Vulnerability in Setup Wizard CVE-2015-6643 Moderate
Elevation of Privilege Vulnerability in Wi-Fi CVE-2015-5310 Moderate
Information Disclosure Vulnerability in Bouncy Castle CVE-2015-6644 Moderate
Denial of Service Vulnerability in SyncManager CVE-2015-6645 Moderate
Attack Surface Reduction for Nexus Kernels CVE-2015-6646 Moderate

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s