Google has just released fixes for a pile of vulnerabilities in Android, including three dozen critical flaws in Qualcomm components that affect the operating system.
The August patch release from Google is, like last month’s, split into two separate patch levels. The August 1 level contains a small subset of the fixes that are included in the full August 5 patch set. The Qualcomm fixes are only included in the latter batch, as are patches for a number of kernel vulnerabilities.
The August 1 patch level includes fixes for a couple of remote code execution vulnerabilities, one in Mediaserver and one in libjhead.
Google patched 36 critical bugs in Qualcomm components in Android.
“A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. The Mediaserver process has access to audio and video streams, as well as access to privileges that third-party apps could not normally access,” the Android bulletin says.
The full patch release has fixes for two other remote code execution bugs, including one in the Qualcomm WiFi driver.
“A remote code execution vulnerability in the Qualcomm Wi-Fi driver could enable a remote attacker to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise,” the bulletin says.
There’s also a critical elevation of privilege vulnerability in a Qualcomm Android component. The bug could allow an attacker to execute arbitrary code locally on a device in the context of the kernel, leading to total compromise of the phone.
Google will push out an over-the-air update to its Nexus Android devices with the full August 5 patch level. Carriers are responsible for sending out updates for other Android devices.