Google roasts critical twin Android bugs in new Marshmallow OS

Google has patched two critical remote code execution vulnerabilities as part of a suite of seven fixes in its fourth round of Android patching since August.

The over-the-air updates set to hit Nexus, Samsung, and Android Open Source Project (AOSP) devices first for Google's latest Marshmallow Android operating system.

Google informed "partners" on 5 October and patch source code is set to hit the AOSP soon.

Two flaws rated critical include libutils (CVE-2015-6609) and mediaserver (CVE-2015-6608) holes which grant attackers remote code execution.

Attackers can exploit the holes by sending crafted media files to affected devices.

Google says it is unaware of attacks targeting the patched vulnerabilities.

"The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," Google says in an advisory.

"During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.

"The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media."

A vulnerability (CVE-2015-6610) was also fixed in the libstagefright library which was separate to the StageFright vulnerabilities reported by Zimperium researcher Joshua Drake that made headlines earlier this year.

Privilege elevation bugs are also closed in Bluetooth (CVE-2015-6613), the telephone app (CVE-2015-6614), and libmedia (CVE-2015-6612).

Google says exploitation is made harder on the security-improved Marshmallow Android platform. ®