Critical Android bugs patched by Google

Google's latest patch bundle takes care of seven critical vulnerabilities in its Android operating system that allow remote code execution, privilege escalation and information disclosure on victim devices.

A further eight flaws are rated as being of high severity.

Flaws in the Mediaserver system component continue to plague Android security: two vulnerabilities, CVE-2016-0815 and 0816, allow for remote code execution through playback of media in the Chrome web browser and via multimedia messaging system (MMS) attachments.

The libvpx WebM VP8 and VP9 video codec library can also be abused remotely to run arbitrary code with the privileges of the system mediaserver process, Google said.

Five privilege escalation bugs are also patched in the March 2016 round of updates. These include flaws in the Conscrypt Java OpenSSL secure sockets layer/transport layer provider, in binary kernel drivers for the Qualcomm Performance Component, in MediaTek Connectivity, and once again, in Mediaserver.

The CVE-2016-0830 vulnerability means attackers can also brick Android phones, with the only fix potentially a reflash of the affected device, Google said.

Fixed Nexus firmware images from Google are available, along with over the air updates in the coming days. The company said it had notified its hardware partners on February 2 this year and would release source code patches for the March set of vulnerabilities within 48 hours.

Google noted that the mitigations built into Android - such as Hangouts and Messenger not automatically passing on media to the Mediaserver process - would make exploitation of the vulnerabilities less likely.

The company nevertheless encouraged users "to update to the latest version of Android where possible" to remain secure.