Google still plagued by nasty mediaserver bug with new Android security patches

Google patched eight critical vulnerabilities in Android.
Written by Zack Whittaker, Contributor

It's the thorn in the side of Android security, the bug that just won't seem to go away.

(Image: CNET/CBS Interactive)

Google on Monday released its monthly round of security updates for Nexus devices, with one major flaw floating to the top of the list: a "critical" flaw in mediaserver, a part of Android that finds and indexes media files stored on the device.

If you've heard it before, you're not mistaken. For almost every month since Google started pushing out monthly security patches, a new flaw is found in mediaserver and patched -- or about two-dozen flaws fixed since August.

As is the case with other months, Google is somewhat tight-lipped on the cause, saying only that the flaw "could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," though the flaw is mitigated somewhat as Google Hangouts and Messenger apps can't trigger the flaw.

Google said the flaw affects all versions of Android KitKat (4.4.4) and later.

The company also fixed a number of other "critical" security flaws, including a vulnerability that could allow an attacker to remotely execute code on an Android device through the DHCP networking service.

Two other "critical" flaws affect Qualcomm hardware, which if exploited could result in a "permanent device compromise," said Google, which would require the device to be wiped and reflashed.

Google also fixed a kernel escalation of privilege flaw, which the company warned about mid-last month, which too could have led to a permanent device compromise.

Nexus users can update from Android's settings menu. Other device manufacturers tend to follow in the coming days.

For privacy and security, change these Android settings right now

Editorial standards