Patches for Google’s Nexus devices fix seven vulnerabilities, two of which the company labeled critical and could allow for remote code execution when handling media files.
The updates are part of Google’s monthly patch cycle and are available for Nexus devices running Android 5.1 (Lollipop) and 6.0 (Marshmallow). The source code for the fixes will also add into the Android Open Source Project (AOSP).
The most serious flaws patched in this release are CVE-2015-6608 and CVE-2015-6609. They are in the mediaserver and libutils components of Android, respectively. The vulnerabilities can end up exploited remotely through specially crafted media files.
Hackers could remotely exploit the vulnerabilities in multiple ways, including sending MMS messages and tricking users to play media in the browser.
These are just the latest in a string of critical vulnerabilities found and patched in Android’s media playback components since July, when a vulnerability in a library called Stagefright led to a major coordinated patching effort from Android device manufacturers and prompted Google, Samsung and LG to introduce monthly security updates.
Three other flaws fixed in this update rated as high severity are in mediaserver, libstagefright and libmedia — all media processing components. The remaining two vulnerabilities are in the Bluetooth and Telephony components.
Google said its severity assessment doesn’t take into account the mitigations that can make exploiting such flaws more difficult. They include the Verify Apps and SafetyNet services that monitor for potentially harmful applications, disabling automatic media processing in applications like Google Hangouts and Messenger, and anti-exploitation techniques present in newer versions of Android.