Android security: Google's June update splats dozens of critical, high-severity bugs

Google rolls out the June security update for Nexus and Android -- but will your device be among those getting the fixes?
Written by Liam Tung, Contributing Writer

Eight critical vulnerabilities are addressed in the June update.

Image: Sarah Tew/CNET

Google is rolling out its June patches for Android, which contain dozens of fixes for critical and high-severity bugs in the world's most widely-used mobile operating system.

The first Monday of a new month brings the latest Android security bulletin, detailing bugs that affect Google's own Nexus devices and devices from the Android ecosystem.

Secure Android devices should be running Android Security Patch Level of June 01, 2016. Google notified Android partners about the issues in this bulletin on May 2.

One of the most serious bugs fixed in this update is once again Android's Mediaserver component.

"A remote code-execution vulnerability in Mediaserver could enable an attacker using a specially-crafted file to cause memory corruption during media file and data processing," Google notes. The bug affects all versions of Android that Google provides patches for, from Android 4.4.4 KitKat through to Android 6.0.1.

A similar set of remote code-execution vulnerabilities existed in a component related to Mediaserver called libwebm.

These are two of eight critical vulnerabilities addressed in the June update. Other critical bugs include several elevation of privilege flaws in Qualcomm components, such as its video, sound, and Wi-Fi drivers. The bugs are specific to select Nexus devices.

There are a further 28 flaws rated as high severity, 12 of which cover elevation of privilege flaws in Mediaserver.

"An elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High because it could be used to gain local access to elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application," Google explains.

There are also four vulnerabilities rated as moderate impact in this update.

It remains to be seen how many Android handsets will receive the June update. Samsung updates higher-end Galaxy devices every month, and LG and BlackBerry also line up Android updates to sync with Google's monthly updates.

The Federal Communications Commission and the Federal Trade Commission launched a probe in early May to discover how manufacturers decide whether to patch a vulnerability on a particular device. They also wanted carriers to explain how they review security updates.

Apple, BlackBerry, Google, HTC, LG, Microsoft, Motorola, and Samsung have received letters.

Google is understood to be stepping up pressure on Android partners, with Bloomberg reporting in May that Google was considering naming and shaming Android device makers and carriers that don't deliver updates to end-user devices.

According to the report, Google already shares lists with Android makers showing how their devices rank compared with the current patch level and OS version.

Google in May also renamed its Nexus monthly security bulletin as the Android security bulletin to reflect that the notice does contain flaws also affecting non-Nexus devices.

Read more about Android security

Editorial standards