Image: Jack Wallen
And we’re back! Google has released the latest Android security update and, as you might expect, there’s plenty to be had. This time around, Google patched 40 vulnerabilities. Twelve of these 40 issues were marked as critical, with two of those identified as remote code execution vulnerabilities (aka, the worst kind). Unfortunately, the two remote code execution (RCE) issues are found in Android’s mediaserver. This is the same subsystem that has been plagued with issues in the past few months. Those two RCE issues aren’t the only ones to haunt the mediaserver.
But let’s not waste time with introductions. Let’s get right to the vulnerabilities. As usual, you can get full explanations for all of the issues on the official security update page. Let’s take a look at the highlight reel for May.
Remote Code Execution Vulnerability in Mediaserver
During media file and data processing of a specially crafted file, a vulnerability in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver
Critical. There were two more bugs found in the Qualcomm Wi-Fi driver that could enable a malicious application to execute arbitrary code within the context of the kernel. Both of these issues (26754117 and 26764809) were first reported in January, 2016.
Elevation of Privilege Vulnerability in NVIDIA Video Driver
Critical. Four issues (27251090, 27297988, 27299111, 27436822) affect the Nexus 9, all of which are associated with the NVIDIA video driver and are listed as critical due to the ability to execute arbitrary code within the context of the kernel. Should a device become affected by this issues, the only fix would be a reflashing of the operating system.
Elevation of Privilege Vulnerability in Kernel
Critical. Another issue where malicious applications could execute arbitrary code within the kernel has come back from the grave. Originally described in the March, 2016 Security report, bug 27275324 was original patched in the Linux upstream kernel back in June 2015. This is another issue that would require reflashing the operating system, should your device be affected.
Remote Code Execution Vulnerability in Kernel
High. Bug 26636060 affects the audio subsystem and could enable a local malicious app to execute arbitrary code in the context of the kernel. Although remote code execution vulnerabilities are most always ranked “critical”, this bug falls down to the “high” ranking because it must first compromise a privileged service to call the audio subsystem.
Information Disclosure Vulnerability in Qualcomm Tethering Controller
High. Bug 27942588 is rated as high because it can be used to gain elevated capabilities from the likes of Signature and SignatureOrSystem, via system privileges. Since these are not accessible to third-party applications, it is only rated as high.
Remote Code Execution Vulnerability in Bluetooth
High. Bug 27411268 is a rather crucial issue to fix, as it could enable a proximity attack to execute arbitrary code during the bluetooth pairing process. This bug affects all Nexus devices and was originally reported on Feb 28, 2016.
Elevation of Privilege Vulnerability in Wi-Fi
High. Bug 27371366 can cause newlines output while writing to the Wi-Fi config file. This can lead to corruption to the wpa_supplicant configuration. This bug affects all Nexus devices and was first reported Feb 24, 2016.
Elevation of Privilege Vulnerability in Mediaserver
High. Bugs 27533704, 27568958, 27569635, 27597103, and 27662364 all affect the mediaserver and could enable local malicious applications to execute arbitrary code within the context of the kernel. The only reason these bugs are rated high is that they must gain elevated capabilities from permissions, which are not accessible to third-party apps. This does, however, continue to point to the weakness of the Android mediaserver subsystem.
Elevation of Privilege Vulnerability in Conscrypt
Moderate. Bug 27449871 is a vulnerability in OpenSSL and BoringSSL that could enable a local malicious application to access data beyond its permission levels. This would normally be rated as high, but since it must require a rather uncommon manual configuration, it is rated lower.
Check your patch level
If you’re curious as to what patch level your device is currently enjoying, go to Settings | About phone and check out the Security patch level entry (Figure A). As of this writing (May 10, 2016), the May security patch has yet to hit the Nexus devices (which means it will not have hit other devices as well).
Image: Jack Wallen
The security patch level on a Verizon-branded Nexus 6.
Keep checking your device for updates and, as soon as one is made available…apply it. Generally speaking, however, the security patches are installed automatically.