Among the Android security patches released by Google this week are fixes for several critical vulnerabilities, including one for the mediaserver component that saw several other major problems last year.
In the wake of several severe Android vulnerabilities that emerged over the summer, Google and other companies that produce Android devices said they would begin issuing monthly updates to address security problems. One vulnerability, linked to the Stagefright media library, was believed to have exposed as many as 960 million Android devices to possible hack attacks.
According to Google's lead engineer for Android Security, the Stagefright fix was likely "the single largest software update the world has ever seen." No reports have linked the latest Android vulnerabilities, patched yesterday, to any active customer exploitation, Google said.
OTA Updates for Nexus Devices
Google's own Nexus devices began receiving the most recent security fixes via over-the-air updates, according to the January 2016 Android Security Bulletin posted yesterday. Android partners were notified about the latest issues and provided with security updates on or before December 7, the bulletin added.
Source code patches for all the most recently identified vulnerabilities will also be released to the Android Open Source Project repository by tomorrow, according to the bulletin.
Twelve vulnerabilities in all were addressed in this latest security update. They included a critical-severity bug that left open the possibility of remote code execution in the Android mediaserver, which could be hacked via "multiple methods such as e-mail, Web browsing, and MMS when processing media files." Four other critical vulnerabilities could allow malicious actors to elevate privileges and gain access to devices.
Monthly Updates, but Not All Devices Fixed
The remaining vulnerabilities included two of high severity, and five labeled "moderate" severity. "The severity assessment is based on the effect that exploiting the vulnerability would have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed," according to the security bulletin,
First identified by the enterprise mobile security firm Zimperium in July, the Stagefright bug left open the potential for hackers to remotely execute code and escalate privileges on affected devices, often without any action required by the device owner.
Given the massive number of devices potentially affected by Stagefright, Certifi-Gate and other vulnerabilities that emerged over the summer, Google, Samsung and LG began rolling out monthly security updates for their Android devices.
Just last month, Zimperium posted a video demonstration on its blog showing how members of its team were able to access a new Nexus 6 smartphone by sending a text message that opened a malicious link. That enabled the team to gain access to the phone's personal photos, GPS data, camera images and even conversations. Many Android devices have still not received the update to fix that vulnerability, Zimperium added.