Google has come out with its second security patch update for Android in 2016, this time patching 13 vulnerabilities in the mobile device operating system. Five of the vulnerabilities are rated by Google as having critical severity.
Of the five critical vulnerabilities patched by Google, two (CVE-2016-0803 and CVE-2016-0804) are remote code execution vulnerabilities in Android’s mediaserver. The Android mediaserver has been the focus of Google security patches ever since the Stagefright flaw was first exposed in July 2015. As was the case in the January Android update, the new mediaserver flaws are not specifically in the libstagefright library, but they are in the same general area of Android’s architecture.
“During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process,” Google warns in its security advisory.
The Android mediaserver isn’t the only component of Android being patched for a remote code execution vulnerability in the February update. The Broadcom WiFi driver in Android is being patched for two critical vulnerabilities identified as CVE-2016-0801 and CVE-2016-0802.
“Multiple remote execution vulnerabilities in the Broadcom Wi-Fi driver could allow a remote attacker to use specially crafted wireless control message packets to corrupt kernel memory in a way that leads to remote code execution in the context of the kernel,” Google warned.
There is also a critical patch for a privilege escalation flaw in Qualcomm’s Android WiFi driver, identified as CVE-2016-0806. In addition, there is another critical privilege escalation flaw with the Qualcomm performance module.
“An elevation of privilege vulnerability in the performance event manager component for ARM processors from Qualcomm could enable a local malicious application to execute arbitrary code within the kernel,” the Google advisory states.
The final critical issue patched in the February update is a privilege escalation vulnerability in a debugging component of Android (technically referred to as the ‘debuggered‘ process), identified as CVE-2016-0807. This isn’t the first time that a flaw has been reported with the process, which helps to enable debugging of applications. Back in June 2015, security vendor Trend Micro reported an information disclosure flaw in the same debugging component.
So far in 2016, Google’s monthly Android security updates have provided patches for 25 vulnerabilities. Google first began its monthly Android patch cycle in August of 2015, in the immediate aftermath of the initial Stagefright vulnerability disclosure.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.