Google plugs five critical Android vulnerabilities

Google has plugged nine Android security holes with its February Nexus security update. Of these, five are critical, four of high and one of moderate severity.

Here’s the complete list:

Issue Severity
Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver Critical
Remote Code Execution Vulnerability in Mediaserver Critical
Elevation of Privilege Vulnerability in Qualcomm Performance Module Critical
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver Critical
Elevation of Privilege Vulnerability in the Debugger Daemon Critical
Denial of Service Vulnerability in Minikin High
Elevation of Privilege Vulnerability in Wi-Fi High
Elevation of Privilege Vulnerability in Mediaserver High
Information Disclosure Vulnerability in libmediaplayerservice High
Elevation of Privilege Vulnerability in Setup Wizard Moderate

“The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The Remote Code Execution Vulnerability in Broadcom’s Wi-Fi driver is also Critical severity as it could allow remote code execution on an affected device while connected to the same network as the attacker,” the company explained, but added that no active customer exploitation of these issue has been reported.

If the Mediaserver bug sounds familiar, it’s because Google has been regularly patching similarly exploitable bugs in the Mediaserver service for a while now.

The remaining three critical bugs are elevation of privilege vulnerabilities that could lead to permanent device compromise, and fixing this problem would likely require a re-flashing the OS.

As per usual, Google notified partners of the issues well in advance (nearly a month before), and dource code patches for these issues will be released to the Android Open Source Project repository sometimes during the next 48 hours.

Users of other Android smartphones will hopefully get the patches soon, although the security of their devices very much depends on the good will of the manufacturers and their mobile carriers.

Samsung has been keeping (relatively good) pace with Google, and they are keeping their promise to issue monthly security updates for its Android-powered devices.

LG has also pledged to regularly provide security updates for their Android users, which it tasks mobile service providers to deliver Over-the-Air.