Search This Blog

Marshmallow OS to get patch for two critical Android bug

Google has patched seven of its code execution vulnerabilities in which two of them were rated critical, while four were high and one was moderate. This was the fourth round of Android patching since August this year.
Google has patched seven of its code execution vulnerabilities in which two of them were rated critical, while four were high and one was moderate. This was the fourth round of Android patching since August this year.

Two flaws, which give attackers remote code execution, that were rated critical include libutils (CVE-2015-6609) and mediaserver (CVE-2015-6608) holes. The holes can be exploited by sending crafted media files to the affected devices.

Google informed their “partners’ about the patch on October 5, and the patch code is set to be available on Nexus, Samsung, and Android Open Source Project, but it will be first available for its latest Marshmallow Android operating system.

In its advisory Google said that, "The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."

"During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media."

Privilege elevation bug is solved in libstagefright library which was separate from StageFright vulnerabilities reported by Zimperium researcher Joshua Drake earlier this year.

Vulnerabilities in Bluetooth (CVE-2015-6613), the mediaserver (CVE-2015-6611), the telephone app (CVE-2015-6614), and libmedia (CVE-2015-6612) were also patched.

Google says “exploitation is made harder on the security-improved Marshmallow Android platform.

Issue
CVE
Severity
Remote Code Execution Vulnerabilities in Mediaserver
CVE-2015-6608
Critical
Remote Code Execution Vulnerability in libutils
CVE-2015-6609
Critical
Information Disclosure Vulnerabilities in Mediaserver
CVE-2015-6611
High
Elevation of Privilege Vulnerability in libstagefright
CVE-2015-6610
High
Elevation of Privilege Vulnerability in libmedia
CVE-2015-6612
High
Elevation of Privilege Vulnerability in Bluetooth
CVE-2015-6613
High
Elevation of Privilege Vulnerability in Telephony
CVE-2015-6614
Moderate


Share it:

Android Vulnerability

Breaking News