Google has released a huge security update for Android that fixes dozens of vulnerabilities, including a number of critical flaws that allow remote code execution.
In an unusual move, Google released two distinct sets of patches: July 1 and July 5. The July 5 level has many more fixes, and Google said it separated the release into two pieces in order to allow carriers to patch some serious bugs more quickly.
“This bulletin defines two security patch level strings to provide Android partners with the flexibility to move more quickly to fix a subset of vulnerabilities that are similar across all Android devices,” Google said.
The most serious of the vulnerabilities are several critical remote code execution bugs, including several separate vulnerabilities in Mediaserver. Those flaws are fixed in the July 1 patch level release, along with a handful of other critical vulnerabilities.
“A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. The Mediaserver process has access to audio and video streams, as well as access to privileges that third-party apps could not normally access,” the Google bulletin says.
“The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.”
Many of the vulnerabilities fixed in the July 5 release are information disclosure or elevation of privilege vulnerabilities, including more than 20 bugs in Qualcomm components. Google already has pushed out an over-the-air update for Nexus devices that contains today’s patches, and the company said that the fixes will be in the Android Open Source Project repository in the next 48 hours. The company said it hasn’t had any reports of exploitation of the bugs patched in today’s release.