Security update kills several critical bugs in Android Marshmallow

Google’s November Android security update carries fixes for seven vulnerabilities, including two remote code execution flaws that are rated “critical” (CVE-2015-6608, CVE-2015-6609), and an elevation of privilege vulnerability (CVE-2015-6610) that would also be rated as such were it not for a lower likelihood that it can be exploited remotely.

The majority of the bugs are present in Android 6.0 (Marshmallow), the latest version of the popular OS, which was officially released in October.

CVE-2015-6608 affects the mediaserver service, which is used by Android to index media files that are located on the Android device.

“The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media,” the company explained in the security advisory accompanying the update.

“During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.”

CVE-2015-6609 affects the generic libutils library.

“The affected functionality is provided as an API and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. The affected component has access to audio and video streams as well as access to privileges that third-party apps cannot normally access,” says Google.

The flaw could allow an attacker, during processing of a specially crafted file, to cause memory corruption and remote code execution.

CVE-2015-6610 affects the libstagefright library and can be exploited by a local malicious application to cause memory corruption and arbitrary code execution within the context of the mediaserver service.

The security update has been pushed out to Nexus devices over-the-air, and new Nexus firmware images have been provided for developers.

“Partners were notified about these issues on October 5, 2015 or earlier. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours,” the company added.