Google has fixed 19 Android security issues, seven of which are critical.
Two of the most important patches are remote code execution vulnerabilities in Mediaserver.
The fixes were in the March security update for the Android Open Source Project (AOSP). Mediaserver is a service in Android that allows the device to index media files that are located on it.
The vulnerabilities can end up triggered via a specially crafted file. As the file ends up processed by the service, it triggers the bugs and leads to memory corruption and remote code execution.
“The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media,” Google said in its advisory. “The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps could not normally access.”
The Mediaserver service also has two elevation of privilege issues and two information disclosure flaws Google patched.
Google found the majority of the critical vulnerabilities and there is no indication of active anyone exploiting the issues right now.
Another patched critical issue is in the Qualcomm performance component, which could allow elevation of privilege vulnerability, and that could enable a local malicious application to execute arbitrary code in the kernel.
“This issue is rated as a critical severity due to the possibility of a local permanent device compromise, and the device could only be repaired by re-flashing the operating system,” Google explained.
Click here for a list of fixed issues.