Recently, Google has released the security update for its Android Nexus devices(Android Open Source Project(AOSP)), in March 2016. During this update around 19 security issues has been fixed by Google. Four major holes were patched by this update, along with a lot of other vulnerabilities.
Among those 19 updates: 10 were considered as “HIGH”, 4 were considered as “CRITICAL” and 2 were considered as “MODERATE”. So, many flaws and vulnerabilities were there that were all now patched by the Google. The patches include vulnerabilities with Android’s media server, Stagefright vulnerabilities, Qualcomm performance component etc. Within these patches, Android’s Media Server is a kind of service by which the device can easily index media files that are located on device and Qualcomm performance could be triggered to allow elevation of privilege vulnerability. Qualcomm performance component also enables to execute arbitrary code by the local malicious application in Kernel.
Google notes that
“The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media, The media server service has access to audio and video streams as well as access to privileges that third-party apps could not normally access.”
Whatever the critical vulnerabilities patched in the update were not an indication of any active customer exploitation, that all were found internally by Google.
Google explained by the issue Qualcomm performance component that
“This issue is rated as a critical severity due to the possibility of a local permanent device compromise, and the device could only be repaired by re-flashing the operating system”
The places where these critical vulnerabilities found were:
Android’s Display Driver.
Skia graphics library media server.
Mobile operating system’s kernel.
In one of the Google blog post said,
“Android was built from day one with security in mind, Security continues to be a top priority and monthly device updates are yet another tool to make and keep Android users safe.”
The vulnerability was in operating system’s core (Kernel) could increase the third-party software or privilege level and the other critical flaws exploited the remotely execute code.