Four critical Android flaws fixed in monthly Nexus patch update

One of the "critical" flaws could lead to a "permanent device compromise," which can only be fixed by reflashing the entire operating system.

(Image: CNET/CBS Interactive)

Google has fixed 16 security vulnerabilities in Android, four of which it rated "critical."

The search and mobile giant said earlier this year it will release monthly security patches to ensure devices are protected against the latest security flaws. On Monday the company released its fifth monthly release so far for all Nexus devices.


These companies lost your data in 2015's biggest hacks, breaches

Was your data stolen by hackers? (HInt: it probably was.)

Read More

Google said the most severe bugs (CVE-2015-6619) is rated at the highest "critical" level due to the possibility of a "permanent device compromise" that could only be repaired by reflashing the Android software.

The bug, which affects all versions of Android, was reported earlier this year. It could allow an attacker to remotely run code by exploiting a flaw in the system kernel.

Google said it had "no reports of active customer exploitation" of these new issues.

The remaining "critical" bugs relate to media file processing.

One of the bulletins (CVE-2015-6616) said an attacker could be allowed to remotely run malware, which could be triggered by sending an MMS with a specially-crafted media file to an affected device, leading to memory corruption.

The critical flaw targets a core part of the Android software, which has access to permissions that third-party apps cannot normally access, the advisory said.

All versions of Android are affected by three of the bugs in the bulletin.

A similar flaw (CVE-2015-6617) affects all versions of Android, which could lead to an attacker running malware by sending an MMS with a specially-crafted media file to an affected device.

Other highly-rated vulnerabilities target flaws in Bluetooth, the media processing service, audio file processing, and how Android handles Wi-Fi.

Nexus devices will get the security updates first, while other Android manufacturers -- Samsung, LG, and BlackBerry -- will follow suit in the coming days.