Google has released the January security update for Android (for its Nexus devices). The update fixes 12 issues, five of which are critical.
The most important hole that’s been plugged is a remote code execution flaw in mediaserver (CVE-2015-6636), which can be exploited by an attacker delivering a specially crafted media file to the target user – via email, web browsing, and MMS.
“The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access,” Google explains. “The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.”
The last two Android security updates before this one also contained fixes for similar flaws in mediaserver.
The remaining four critical flaws are all elevation of privilege vulnerabilities in the misc-sd driver from MediaTek, a kernel driver from Imagination Technologies, the Widevine QSEE TrustZone application, and the kernel – all are deemed critical because they can lead to a local permanent device compromise, and users might need to re-flash the operating system in case this happens.
Of the two flaws rated “high” in severity is one that could permit a bypass of Android’s security measures (CVE-2015-6641).
Interestingly enough, the fix for one of the “moderate” issues consists of the removal of the SysV IPC component because it’s not supported in any Android Kernel, is not compliant with Android’s application, and therefore provides no benefits while increasing the attack surface.
Most of the flaws affect Android Marshmallow, Lollipop and KitKat.
Users of devices running Android but are not Google’s own Nexus devices can expect updates from their vendors and carriers in due time.