Tuesday, 3 November 2015

New Android Marshmallow bugs fixing update

Google has patched two critical remote code execution vulnerabilities as part of a suite of seven fixes in its fourth round of Android patching since August.
The over-the-air updates set to hit Nexus, Samsung, and Android Open Source Project (AOSP) devices first for Google's latest Marshmallow Android operating system.
Google informed "partners" on 5 October and patch source code is set to hit the AOSP soon.
Two flaws rated critical include libutils (CVE-2015-6609) and mediaserver (CVE-2015-6608) holes which grant attackers remote code execution.


Attackers can exploit the holes by sending crafted media files to affected devices.
Google says it is unaware of attacks targeting the patched vulnerabilities.
"The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," Google says in an advisory.
"During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.
"The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media."
A vulnerability (CVE-2015-6610) was also fixed in the libstagefright library which was separate to the StageFright vulnerabilities reported by Zimperium researcher Joshua Drake that made headlines earlier this year.
Privilege elevation bugs are also closed in Bluetooth (CVE-2015-6613), the telephone app (CVE-2015-6614), and libmedia (CVE-2015-6612).
Google says exploitation is made harder on the security-improved Marshmallow Android platform. ®
Issue
CVE
Severity
Remote Code Execution Vulnerabilities in Mediaserver
CVE-2015-6608
Critical
Remote Code Execution Vulnerability in libutils
CVE-2015-6609
Critical
Information Disclosure Vulnerabilities in Mediaserver
CVE-2015-6611
High
Elevation of Privilege Vulnerability in libstagefright
CVE-2015-6610
High
Elevation of Privilege Vulnerability in libmedia
CVE-2015-6612
High
Elevation of Privilege Vulnerability in Bluetooth
CVE-2015-6613
High
Elevation of Privilege Vulnerability in Telephony
CVE-2015-6614
Moderate

No comments:

Post a Comment