Google released its June update, patching eight critical-severity vulnerabilities and 28 high-severity vulnerabilities that affect its Nexus devices and devices manufactured by partners of Google's Android Open Source Project.
According to the security update, the most severe vulnerability is a media file processing flaw (CVE-2016-2463) that could allow a remote attacked to execute code on Android devices through email, video, web browsing, or text/chat messages. “The Mediaserver process has access to audio and video streams, as well as access to privileges that third-party apps could not normally access,” Google's Android security bulletin stated.
Flaws affecting Android's Mediaserver platform have been a recurring challenge since the Stagefright vulnerability was discovered last summer. The June update also patched 13 high severity vulnerabilities (CVE-2016-2476, CVE-2016-2477, CVE-2016-2478, CVE-2016-2479, CVE-2016-2480, CVE-2016-2481, CVE-2016-2482, CVE-2016-2483, CVE-2016-2484, CVE-2016-2485, CVE-2016-2486, CVE-2016-2487, and CVE-2016-2495) and one moderate severity vulnerability (CVE-2016-2499) that affect the media files processing platform.
“Initially, the security deemed the Stagefright attack as not practical, because it would take too long to execute the attack,” FireEye Manager of Threat Research Jimmy Su told SCMagazine.com. However, he noted, the timeframe required for attackers to repeatedly replay media devices is getting closer to making these attacks practical.
Android's open source architecture “is an ‘open playbook' for the hacker community to obtain direct access to core operating system source code,” wrote RSA GM and Senior Director Peter Tran in an email to SCMagazine.com. While the open source system was designed to allow the developer community to contribute to development and innovation, he said it has become “a blessing and a curse with the Android development model.”
Google also patched five critical flaws affecting Qualcomm drivers, another repeat Android security issue. Critical flaws affecting Qualcomm video drivers (CVE-2016-2465), sound drivers (CVE-2016-2466 and CVE-2016-2467), Qualcomm GPU driver (CVE-2016-2468 and CVE-2016-2062), and Wi-Fi drivers (CVE-2016-2474) could allow malicious applications to execute arbitrary code. Last month, researchers found 60 percent of enterprise Android phones were affected by a vulnerability that could allow an attacker to remotely run any code in Qualcomm Secure Execution Environment.