Google Delivers Five Critical Vulnerability Patches To Nexus Devices

Google is rolling out patches for 12 Android vulnerabilities, five of them critical, to its Nexus range of devices.

The most severe of this is one that could allow for remote code execution (RCE) on an affected device through the use of a malicious media file. This can be exploited through any number of ways, including email, the browser and MMS when processing such files.

In theory this could mean an attacker could load malware onto a device, access files and perform other tasks. Google says it has seen no such attacks in the wild however.

Google security

The four other critical flaws are rated so because they are elevation of privilege escalation vulnerabilities that could cause permanent device damage which can be resolved only through re-flashing.

The ones in question affect the ‘misc-sd’ driver from MediaTek, an Imagination Technologies Driver, Trustzone and the kernel. Other less severe flaws affecting Wi-Fi, Bluetooth and other aspects of Android are also patched.

The security of Android has come under increased scrutiny in recent times, with a Cambridge University report suggesting 88 percent of devices running the platform are at risk. Researchers said some devices can expect just on update a year. However Google itself was not blamed, with the finger pointed at the manufacturers.

Back in August, Google announced it would be committed to sending out monthly security updates as the company looks to better protect customers using its mobile OS. Google has been providing Android manufacturers with a monthly bulletin of security issues so that they can keep their users secure, but recent vulnerabilities such as Stagefright forced this improvement.

For this latest raft of patches, Google said it notified and provided updates to manufacturers on December 7 or earlier and says source code will be updated to the Android Open Source Project (AOSP) repository within the next 48 hours.