Some of the biggest Android security flaws on Nexus devices are getting fixed today, thanks to a new monthly update from Google. In fact, so many bugs are addressed in the patch that the upgrade is the largest to date since the company began issuing regular monthly fixes for Nexus phones last year.
Among the 39 vulnerabilities addressed in the over-the-air update are some of the most serious security issues the company has discovered in recent months. The most severe is a critical bug that could enable remote code execution on an affected device through multiple methods such as e-mail, Web browsing, and MMS (multimedia messaging service) when processing media files.
Rooting Vulnerabilities Addressed
The update is part of Google’s Android Security Bulletin Monthly Release process. Included in the patch are eight security issues the company rated as “critical,” its highest severity rating. An additional 13 were given a “high” severity rating. The severity assessment is based on the effect that exploiting a vulnerability might have on an affected device.
The company said that the patch should go a long way toward shoring up Android’s security. The platform’s reputation has taken some hits recently following the publication of a number of vulnerabilities discovered by mobile security firms, including several applications able to root users’ devices without their knowledge. The company said that despite the existence of the vulnerability, it hasn’t received any reports of active exploitation of users.
This release should address the rooting vulnerabilities. “Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform,” Google said in its security bulletin. “We encourage all users to update to the latest version of Android where possible.”
Google said its Android security team is actively monitoring third-party apps for signs of abuse or malicious behavior to give users a heads-up about potentially dangerous applications.
Verify Apps
Although this latest update should take care of the current crop of rooting vulnerabilities, the company said it isn’t taking any chances. Among the enhancements included in the latest version is a feature called Verify Apps, which is enabled by default.
Verify Apps attempts to identify and block installation of known malicious applications that either root devices or exploit a privilege escalation vulnerability. It can also identify malicious applications that are already installed and attempt to remove them.
Most of the critical vulnerabilities fixed in this upgrade stemmed from problems with either the Dynamic Host Configuration Protocol service, or the mediaserver, which allowed attackers to hijack the device through malicious code buried in video and audio files.
That includes the libstagefright (Stagefright) remote code execution vulnerability, a problem that has plagued the company for a while. Google said the affected functionality is a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
