Google roasts critical twin Android bugs in new Marshmallow OS

Privilege escalation and remote code execution feature in fourth droid patch run.

Google has patched two critical remote code execution vulnerabilities as part of a suite of seven fixes in its fourth round of Android patching since August.

The over-the-air updates set to hit Nexus, Samsung, and Android Open Source Project (AOSP) devices first for Google’s latest Marshmallow Android operating system.

Google informed “partners” on 5 October and patch source code is set to hit the AOSP soon.

Two flaws rated critical include libutils (CVE-2015-6609) and mediaserver (CVE-2015-6608) holes which grant attackers remote code execution.

Attackers can exploit the holes by sending crafted media files to affected devices.

Google says it is unaware of attacks targeting the patched vulnerabilities.

“The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files,” Google says in an advisory.

“During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.

“The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.”

A vulnerability (CVE-2015-6610) was also fixed in the libstagefright library which was separate to the StageFright vulnerabilities reported by Zimperium researcher Joshua Drake that made headlines earlier this year.

Privilege elevation bugs are also closed in Bluetooth (CVE-2015-6613), the telephone app (CVE-2015-6614), and libmedia (CVE-2015-6612).

Google says exploitation is made harder on the security-improved Marshmallow Android platform.

Issue

CVE

Severity

Remote Code Execution Vulnerabilities in Mediaserver

CVE-2015-6608

Critical

Remote Code Execution Vulnerability in libutils

CVE-2015-6609

Critical

Information Disclosure Vulnerabilities in Mediaserver

CVE-2015-6611

High

Elevation of Privilege Vulnerability in libstagefright

CVE-2015-6610

High

Elevation of Privilege Vulnerability in libmedia

CVE-2015-6612

High

Elevation of Privilege Vulnerability in Bluetooth

CVE-2015-6613

High

Elevation of Privilege Vulnerability in Telephony

CVE-2015-6614

Moderate

Sponsored: 2015 Cost of Cyber Crime Study: United States

Share