Google Details The Fixes Contained In The September Round Of Security Updates To Nexus Devices And AOSP

This week the latest batch of over-the-air security updates started rolling out to Nexus devices, most going under version LMY48M. Google also posted the goods online in the form of factory images. The company then went on to provide a list of the security fixes.

Eight make the list, with one having actually been exploited in the wild. Though whether this was used maliciously or just someone rooting their own device is unclear. None of the vulnerabilities are newly disclosed.

Show 102550100 entries

Title	CVE	Severity	Active Exploitation
Remote Code Execution Vulnerability in Mediaserver	CVE-2015-3864	Critical	No
Elevation of Privilege Vulnerability in Kernel	CVE-2015-3636	Critical	Yes
Elevation of Privilege Vulnerability in Binder	CVE-2015-3845, CVE-2015-1528	High	No
Elevation of Privilege Vulnerability in Keystore	CVE-2015-3863	High	No
Elevation of Privilege Vulnerability in Region	CVE-2015-3849	High	No
Elevation of Privilege vulnerability in SMS enables notification bypass.	CVE-2015-3858	High	No
Elevation of Privilege Vulnerability in Lockscreen	CVE-2015-3860	Moderate	No
Denial of Service Vulnerability in Mediaserver	CVE-2015-3861	Low	No

According to Ars Technica, the two critical fixes address vulnerabilities found in the libstagefright Android media library. These allowed users to execute harmful code on users' devices, and Google has been working with device manufacturers and carriers to get on top of the issue over the past several months.

These updates come just as Zimperium Mobile Security has released proof of concept codeshowing how the Stagefright vulnerabilities could be exploited.

Mitigation Techniques Used To Prevent Exploitation:

• Remote exploitation for many issues on Android versions 4.1 (Jelly Bean) and higher is mitigated by enhancements in the Address Space Layout Randomization (ASLR) algorithm used in those versions. Android 5.0 improved ASLR by requiring PIE (position-independent executable) for all dynamically linked executables further strengthening the ASLR protection. We encourage all users to update to the latest version of Android where possible.
• The Android Security team is actively monitoring for abuse of issues with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Device “rooting” tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known Rooting applications. Verify Apps will block installation of known “malicious” applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will attempt to automatically remove any such applications and notify the user.
• As appropriate, Google has updated the Hangouts and Messenger applications so that media is not automatically passed to vulnerable processes (such as Mediaserver.)

For more on what's changed in the latest updates, check out the latest entry in our AOSP Changelog series and the source link below.

• Twitter
• Facebook
• Google
• Tumblr
• Pinterest