Google fixed 12 bugs, five of which were critical, in Android.
Ever since Google started offering monthly security updates for Android, the company has been patching a Remote Code Execution (RCE) critical bug in its Mediaserver component every month.
The parade started in September (CVE-2015-3864), October (15 bugs in libstagefright, part of Mediaserver), November (CVE-2015-6608), December (CVE-2015-6616), and now January (CVE-2015-6636).
This most recent issue affects devices running Android 5.0 or higher, and Google said “the affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.”
This means, just like Stagefright, an attacker can craft a malicious image, audio, or video file, and send it via an MMS or stream via the user’s browser.
When this happens, exploiting a memory corruption bug, attackers can execute remote code on the device. Based on their skills in working with loopholes in Android’s system, they could take control of targeted devices.
Google’s own security researchers discovered this flaw, and the company said it had not seen any attacks exploiting this new Mediaserver vulnerability.