Google Releases Fixes for New Android Flaws

Among the Android security patches released by Google this week are fixes for several critical vulnerabilities, including one for the mediaserver component that saw several other major problems last year.

In the wake of several severe Android vulnerabilities that emerged over the summer, Google and other companies that produce Android devices said they would begin issuing monthly updates to address security problems. One vulnerability, linked to the Stagefright media library, was believed to have exposed as many as 960 million Android devices to possible hack attacks.

According to Google's lead engineer for Android Security, the Stagefright fix was likely "the single largest software update the world has ever seen." No reports have linked the latest Android vulnerabilities, patched yesterday, to any active customer exploitation, Google said.

OTA Updates for Nexus Devices

Google's own Nexus devices began receiving the most recent security fixes via over-the-air updates, according to the January 2016 Android Security Bulletin posted yesterday. Android partners were notified about the latest issues and provided with security updates on or before December 7, the bulletin added.

Source code patches for all the most recently identified vulnerabilities will also be released to the Android Open Source Project repository by tomorrow, according to the bulletin.

Twelve vulnerabilities in all were addressed in this latest security update. They included a critical-severity bug that left open the possibility of remote code execution in the Android mediaserver, which could be hacked via "multiple methods such as e-mail, Web browsing, and MMS when processing media files." Four other critical vulnerabilities could allow malicious actors to elevate privileges and gain access to devices.

Monthly Updates, but Not All Devices Fixed

The remaining vulnerabilities included two of high severity, and five labeled "moderate" severity. "The severity assessment is based on the effect that exploiting the vulnerability would have on an affected...

Comments are closed.