Google fixes high-risk Android vulnerabilities in July update

Google's latest security update resolves severe problems including remote code execution security flaws.
Written by Charlie Osborne, Contributing Writer

Google is rolling out patches for Android in the July security bulletin, which contains dozens of security fixes for weaknesses in the Android system, many of which are deemed critical.

With a slight delay due to Independence Day weekend, Google released the latest security advisory on Wednesday for the Android mobile operating system. It affects Google's Nexus product range and any handset or tablet based on Android.

The most severe issue patched is a set of critical flaws in Mediaserver, which could enable remote code execution on a vulnerable device through different methods, including fraudulent emails, phishing campaigns, web browser injections, and MMS when processing media files.

Google has also patched remote code execution flaws discovered within OpenSSL, BoringSSL, and Bluetooth protocols.

While Android's Mediaserver, a system which processes and transfers media files, is one of the most-patched systems in this update, the open-source library libpng Android relies upon was also a cause for concern. Google patched a privilege escalation flaw rated as "important" and used the scheduled security update to address privilege escalation and denial of service issues in Bionic, the standard C library developed by Google for the Android framework.

Privilege escalation vulnerabilities in Mediaserver, sockets, LockSettingsService, framework APIs, and ChooserTarget service were also resolved.

A set of information disclosure issues were also fixed across the Android operating system.

In addition, another set of patches, which deals with these problems as well as hardware-based problem, has also been released for vendors. These updates are device-specific and up to vendors to issue.

Qualcomm, in particular, has been heavily hit with security updates for components including the GPU driver, performance systems, USB, camera, and Wi-Fi drivers. Devices using the firm's components will receive fixes for problems leading to privilege escalation, information leaks, and denial of service.

Vulnerabilities in Nvidia's video driver, alongside various MediaTek drivers, have now been patched in the July update. Google has also fixed device-based kernel problems from unspecified vendors, which could lead to privilege escalation.

Google says it is not aware of any incidents of these vulnerabilities being actively exploited in the wild.

The updates will be rolled out in the next 48 hours, and an over-the-air (OTA) update for Google Nexus devices has also been released. Vendors affected by these security disclosures were informed of the release in early June.

See also: Android security: Google's June update splats dozens of critical, high-severity bugs

In order to protect yourself against these issues, you should accept the security update as soon as it lands on your device.

Security researchers from the Chrome security team, KeenLab, Tencent, Qihoo 360, and Trend Micro were among those who submitted these vulnerabilities for review.

In June, Google fixed dozens of critical, dangerous bugs affecting Android, some of which led to privilege escalation and device hijacking.

The best beach reads for IT pros in 2016

Editorial standards