Google patches Nexus remote code vulnerability

Google has issued a security update for its Nexus range of smartphones to fix several critical vulnerabilities in the Android operating system.

The most serious of the issues, identified in Google’s December 2015 security bulletin, allows attackers to run arbitrary code remotely on a user’s device by sending them a compromised media file.

The compromised file could be received by a user as an email attachment, an MMS message, or be opened in the web browser. The malicious code is then executed as the file is being processed by the operating system’s Android Mediaserver component.

Google said it notified its partners and provided updates for the security issues, which were uncovered last week. Source code for the patches will be released to the Android Open Source Project repository over the next two days.

A further 10 vulnerabilities rated as high severity in different Android system components have also been patched as part of the December security update.

Four of the high severity bugs, CVE-2015-6620, 6626, 6631 and 6632, are in Android’s libstagefright audio and video processing component. The library has previously been found to contain vulnerabilities estimated to put around a billion Android devices at risk of attack.

The remote code execution vulnerability was jointly discovered by one of Google’s Project Zero researchers, working with security vendor Trend Micro. The other critical flaws were discovered by the Google Chrome security team.

Google has been criticised over recent years for not taking Android security seriously, and responded by committing to monthly security patches in August this year.