Google plugs 19 holes in newest Android security update

In the March 2016 security update for the Android Open Source Project (AOSP), Google has fixed 19 security issues, seven of which are considered to be critical.

Among these, and admittedly the most important to patch, are two remote code execution vulnerabilities in – yes, you’ve guessed it – Mediaserver. Mediaserver is a service in Android that allows the device to index media files that are located on it.

Android security update

The vulnerabilities in question (CVE-2016-0815, CVE-2016-0816) can be triggered via a specially crafted file. As the file is processed by the service, it trigger the bugs and lead to memory corruption and remote code execution.

“The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media,” Google notes. “The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps could not normally access.”

The Mediaserver service also sports two elevation of privilege and two information disclosure flaws that have been patched in this month’s update.

The majority of the critical vulnerabilities patched this time were found by Google internally, and there is no indication of active customer exploitation of these issues.

Another critical bug that has been patched is found in the Qualcomm performance component, which could be triggered to allow elevation of privilege vulnerability, and that could enable a local malicious application to execute arbitrary code in the kernel.

“This issue is rated as a critical severity due to the possibility of a local permanent device compromise, and the device could only be repaired by re-flashing the operating system,” Google explained.

For a full list of fixed issues, go here. As always, Google notified partners of the issues nearly a month before, and source code patches for these issues will be released to the Android Open Source Project repository sometimes during the next 24 hours.

Nexus users can also get firmware images from the Google Developer site.

Users of other smartphones running Android will have to wait for their manufacturer or carriers to push out the patches.