This week the latest batch of over-the-air security updates started rolling out to Nexus devices, most going under version LMY48M. Google also posted the goods online in the form of factory images. The company then went on to provide a list of the security fixes.

Eight make the list, with one having actually been exploited in the wild. Though whether this was used maliciously or just someone rooting their own device is unclear. None of the vulnerabilities are newly disclosed.

TitleCVESeverityActive Exploitation
Remote Code Execution Vulnerability in MediaserverCVE-2015-3864 CriticalNo
Elevation of Privilege Vulnerability in KernelCVE-2015-3636CriticalYes
Elevation of Privilege Vulnerability in BinderCVE-2015-3845, CVE-2015-1528HighNo
Elevation of Privilege Vulnerability in Keystore CVE-2015-3863HighNo
Elevation of Privilege Vulnerability in RegionCVE-2015-3849HighNo
Elevation of Privilege vulnerability in SMS enables notification bypass.CVE-2015-3858HighNo
Elevation of Privilege Vulnerability in LockscreenCVE-2015-3860ModerateNo
Denial of Service Vulnerability in Mediaserver CVE-2015-3861LowNo

According to Ars Technica, the two critical fixes address vulnerabilities found in the libstagefright Android media library. These allowed users to execute harmful code on users' devices, and Google has been working with device manufacturers and carriers to get on top of the issue over the past several months.

These updates come just as Zimperium Mobile Security has released proof of concept code showing how the Stagefright vulnerabilities could be exploited.

Mitigation Techniques Used To Prevent Exploitation:

  • Remote exploitation for many issues on Android versions 4.1 (Jelly Bean) and higher is mitigated by enhancements in the Address Space Layout Randomization (ASLR) algorithm used in those versions. Android 5.0 improved ASLR by requiring PIE (position-independent executable) for all dynamically linked executables further strengthening the ASLR protection. We encourage all users to update to the latest version of Android where possible.
  • The Android Security team is actively monitoring for abuse of issues with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Device “rooting” tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known Rooting applications. Verify Apps will block installation of known “malicious” applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will attempt to automatically remove any such applications and notify the user.
  • As appropriate, Google has updated the Hangouts and Messenger applications so that media is not automatically passed to vulnerable processes (such as Mediaserver.)

For more on what's changed in the latest updates, check out the latest entry in our AOSP Changelog series and the source link below.