The new version of Android Nougat released this week by Google fixes more than 70 vulnerabilities, including three remote code execution bugs and 29 critical flaws.
As it has done for the last few months, Google released two separate patch levels in its January update, the Jan. 1 and Jan. 5 levels. The latter is the more extensive update and has patches for several dozen serious vulnerabilities, most notably a critical remote code execution flaw in the Mediaserver component of Android.
“A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process,” the Google advisory says.
Mediaserver is among the components in Android that are patched most often, and many of the vulnerabilities discovered in it are quite serious. There have been a number of critical, widespread bugs found in the media stack in Android, including the notorious Stagefright bug that affected billions of devices worldwide. To help address the problem, Google rebuilt the media stack in Nougat, including redesigning and hardening the Mediaserver.
“In Android Nougat, we’ve both hardened and re-architected mediaserver, one of the main system services that processes untrusted input. First, by incorporating integer overflow sanitization, part of Clang’s UndefinedBehaviorSanitizer, we prevent an entire class of vulnerabilities, which comprise the majority of reported libstagefright bugs. As soon as an integer overflow is detected, we shut down the process so an attack is stopped,” Xiaowen Xin of the Android security team said.
In the January update, Google also patched two other remote code execution flaws, one in the c-ares library and one in Framesequence, both of which are rated as high.
“A remote code execution vulnerability in c-ares could enable an attacker using a specially crafted request to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library,” the Google advisory says.
Google also fixed a vulnerability in the NVIDIA GPU driver that is a privilege-escalation flaw but comes with some potentially serious consequences.
“An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device,” the advisory says.