Four critical Android bugs patched, one could lead to permanent device compromise

Google’s December security update for Android has been pushed out to Nexus devices on Monday, and it contains fixes for 19 vulnerabilities, four of which are deemed “critical”.

Among these is an elevation of privilege vulnerability (CVE-2015-6619) in the system kernel, which could be exploited by a local malicious application to execute arbitrary code within the device root context.

“This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device could only be repaired by re-flashing the operating system,” Google explained.

The remaining three critical flaws, affecting mediaserver (CVE-2015-6616), the Skia component (CVE-2015-6617) and the user mode driver loaded by mediaserver (CVE-2015-6633, CVE-2015-6634), could also lead to remote code execution.

An attacker would only need to craft special media files and serve them to the user (i.e. the device) to be processed to trigger the exploitation of the flaws. This file could be served via email, web browsing, and MMS.

All four of these bugs have been discovered by the Google Chrome Security Team, and all affect Android version 6.0 (Marshmallow) and below.

“Partners were notified about and provided updates for these issues on November 2, 2015 or earlier. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours,” the company noted, and added that they “have had no reports of active customer exploitation of these newly reported issues.”