Google fixes another Mediaserver bug in monthly Android security update

Mediaserver continues to be in the limelight as Google patches yet another critical vulnerability in how Android processes media files

Google has patched 30 vulnerabilities in Android's Mediaserver component since it began releasing monthly security updates for the mobile operating system in August. Patches addressing flaws in Mediaserver and the media playback engine will likely be a mainstay of these monthly bulletins for the foreseeable future.

Google patched 12 vulnerabilities in the latest monthly Android Nexus Security Bulletin, of which five were rated as critical severity, two as high, and five as moderate. Google has patched at least one Mediaserver bug as part of these bulletins every month since August, and January continues the trend. January's Mediaserver flaw (CVE-2015-6636), if successfully exploited, would allow an attacker to use email, Web browsing, and MMS processing of media files to remotely execute code.

"During media file and data processing of a specially crafted file, vulnerabilities in Mediaserver could allow an attacker to cause memory corruption and remote code execution as the Mediaserver process," Google said.

Versions 5.0, 5.1.1, 6.0, and 6.0.1 are all affected.

Software will have bugs. And when several researchers start scrutinizing the same code, more bugs will be found. This is exactly what is happening with Mediaserver, as researchers uncover vulnerabilities that are "tangential" to each other, said Christopher Budd, a global threat communications manager at Trend Micro. They all exist in the same component, but are distinct issues.

Security researchers began digging into the code for Mediaserver and the media playback engine after Zimperium zLabs researcher Joshua Drake disclosed the Stagefright vulnerability over the summer. Found in the libstagefright library, Stagefright could potentially allow attackers to remotely execute code and take control of the device by sending maliciously crafted MMS messages.

Google promptly released a comprehensive update for Stagefright, and since then has closed multiple flaws in the libstagefright library, Mediaserver, and related media processing components. In this month's update, Google said it has modified the default behavior on Hangouts and Messenger so that the apps would not automatically parse multimedia messages.

Mediaserver interacts with a number of applications, and vulnerabilities in this component could be exploited by attackers in a number of ways. For example, attackers can trick users into playing specifically crafted media files in their browsers or by opening multimedia messages sent to their devices. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access, Google said.

The January update will be rolled out to supported Nexus devices -- Nexus 5, 6, 5X, and 6P smartphones and Nexus 7, 9, and 10 tablets -- as an over-the-air update. Each phone manufacturer has to work with individual phone carriers to push out individual device updates. Even though Samsung and HTC have committed to providing customers with security updates, there is a lag between when the bulletins are available and when the phones receive them. Not all devices are being updated, making the entire situation highly confusing for users wondering if their phones are safe.

Android users can check the firmware version on their devices to see if the updates have been applied. Devices with builds LMY49F or later include the patches. Users with devices running Android Marshmallow can look up the Security Patch Level under Settings > About Phone. If the security panel lists Security Patch Level of Jan. 1, 2016 or later, then these issues have been addressed. The security panel is available on devices running Marshmallow and some Samsung devices running Lollipop, including Galaxy S6 Edge+ and Galaxy Note 5.

Copyright © 2016 IDG Communications, Inc.