Google Patches 6 Critical Android Mediaserver Bugs in May Security Update
Google pushed out its monthly Android patches Monday, addressing 17 critical vulnerabilities, six of which are tied to its problematic Mediaserver component. Google releases Android May security update. An additional four critical vulnerabilities related to Qualcomm components in Android handsets including Google’s own Nexus 6P, Pixel XL and Nexus 9 devices were also patched.
“The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files,” wrote Google in its May Android Security Bulletin.
According to Google, the most severe of the issues patched was a vulnerability in its Mediaserver component “that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.”
Mediaserver is a program built into the Android system that is designed to scan all available media files on the device and index them, making it easier applications on the device to quickly access the files.
It has also been a bit of a bane for Android users, as fingers are often pointed at the service for eating up battery and occupying too much of the device’s available memory resources while it performs its task.
Mediaserver vulnerabilities can theoretically be exploited through multimedia messages (MMS), which is why Google has disabled the automated display of such messages in the default Android text messaging app and Google Hangouts. However, third-party applications might still be exposed to this attack vector.
None of those annoyances quite match up to the potential harm an exploit of the vulnerability could have caused. The attack required a specially crafted file to take advantage of the hole, but an enterprising hacker would effectively be able to cause memory corruption while Mediaserver is operating.
No Evidence of Flaws Being Exploited in the Wild
Six of the 17 critical patches are addressed with the 2017-05-01 partial security patches, while the remaining 11 critical security flaws affecting various drivers, libraries and bootloaders are patched in the 2017-05-05 complete patch level.
Good news is that Google assured its users that there are no reports of any of the security vulnerabilities being exploited in the wild.
Google says, having two patch levels “provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices.”
So, users are strongly advised to download the most recent Android security update to keep their devices protected against any potential attack.
Google only releases firmware updates for its supported Nexus and Pixel devices and then makes the relevant patches available to the Android Open Source Project (AOSP)—the code that serves as a base for the firmware produced by device makers. Users should look for firmware updates for their specific devices from their manufacturers.