Multiple critical Android flaws patched in May security update

Several critical and high severity vulnerabilities have been pacthed in Google's latest round of security patches for its Android mobile operating system.

A total of 49 vulnerabilities are listed in Google's regular monthly security advisory for May 2016.

Twelve CVEs are listed as critical by Google, and all affect its Nexus devices. Google recently modified its severity ratings system to include new definitions of successful exploitation of critical vulnerabilities:

• Remote code execution in privileged Android system processes;
• Permanent device compromise that requires reflash of the operating system;
• Unauthorised acess to data secured by the Trusted Execution Environment in Android; and
• Denial of service attacks conducted remotely that result in the device being permanently unusuable, or requiring a reflash.

Google said it had collected data over the last six months on reported vulnerabilities, and the revised severity ratings system aims to align more closely with the real-world impact for users.

Hardware driver vulnerabilities make up most of the critical flaws in the May round of patches.

These include privilege escalation in the Nvidia video and Qualcomm wi-fi drivers,  and Qualcomm's TrustZone security feature.

As in past security alerts, the Android mediaserver library has again been found vulnerable, with two remote code execution flaws patched. Attackers can exploit such vulnerabilities by sending emails, through multimedia messaging service media files, or through malicious websites, Google said.

A further 19 vulnerabilities rated as high are patched in the May 2016 update, most providing potential attackers with a vector for privilege escalation for full system access.

Two remote code execution flaws in the Android Linux kernel are also being patched, along with a Bluetooth vulnerability to the same effect.

Google pointed out that newer versions of Android make exploitation of security vulnerabilities more difficult. The company monitors potentially harmful applications with its Verify Apps and SafetyNet features, which warn users and block known malicious code.

New firmware images containing the security fixes have been released for Google Nexus devices, which will also be updated over the air.