Google plugs 15 critical security holes in Android update

Google's April collection of security updates for its Android mobile operating system takes care of no fewer than 15 vulnerabilities rated as critical, the company said.

As with past security alerts, the mediaserver component of Android has emerged as one of the most vulnerable.

Since mediaserver is a privileged Android operating system feature that can be reached during video playback, while viewing images and audio, and while sending multimedia text messages, attackers can use the vulnerabilties in the component to remotely execute code on user devices.

Five more mediaserver flaws have been rectified in the April security update, along with a related remote code execution vulnerability in media codecs used by the operating system component.

A remote code execution flaw in the libstagefright library has also been plugged by Google.

Elsewhere, security researchers have uncovered three remote code execution flaws in Android's implementation of the dynamic host configuration protocol daemon background process, which is used to automatically configure devices with internet protocol addresses and gateways.

All three are rated as critical as the DHCP client runs as a privileged process with extensive system access.

The April security update also takes care of two privilege escalation bugs in the Android kernel that could allow malicious apps to run code with the potential to permanently compromise devices, which would require reflashing of the operating system to repair them, Google said.

Qualcomm modules used in Android for the system processor and radio-frequency component can also be abused to permanently compromise devices, again requiring a reflash to fix the problem.

A further 13 vulnerabilities rated as high and another eight said to be moderate, were also patched in the April update.

Last month, Google was forced to issue an out-of-band update to address the CVE-2015-1805 rooting vulnerability in the Linux kernel, which was discovered last year but remained unpatched in Android. 

The April patches are delivered to Nexus devices as an over-the-air update, and Google has also made new firmware images available on its developer website. Patches will be released as source code to Google's Android partners over the coming few days, the company said.