Google announced its monthly security patches for Android this week, in which it addressed a number of critical vulnerabilities—including six related to the Android Mediaserver component that could be used to remotely execute code.
In addition to the Mediaserver fixes, Google also patched four vulnerabilities related to Qualcomm components found in Android devices, including Google’s Nexus 6P, Pixel XL and Nexus 9 devices.
According to Google, the most severe of the issues patched was a vulnerability in its Mediaserver component “that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.”
Mediaserver is a program built into the Android system that is designed to scan all available media files on the device and index them, making it easier applications on the device to quickly access the files.
It has also been a bit of a bane for Android users, as fingers are often pointed at the service for eating up battery and occupying too much of the device’s available memory resources while it performs its task.
None of those annoyances quite match up to the potential harm an exploit of the vulnerability could have caused. The attack required a specially crafted file to take advantage of the hole, but an enterprising hacker would effectively be able to cause memory corruption while Mediaserver is operating.
Google also patched up a number of vulnerabilities that stemmed from Qualcomm components that could have led to an attacker gaining root privilege of a device. According to Google, the flaw would have allowed an attacker to gain high-level access and execute malicious code on the device.
Luckily for Android users, those issues are should now be squashed. Google assured its users in its monthly report that there have been zero reports of any of the security flaws being exploited in the wild.
It is still advised that users download the most recent security update to keep their devices protected against potential attacks, especially now that Google has illuminated some of the possible flaws.
The security update has been made available in two parts, with a patch for the most critical issues released on Monday. A complete patch, which will deal with more than 17 critical vulnerabilities, will be made available to users on May 5.
Google split the patches in order to “provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices.”
Owners of the Nexus 5X and 6P devices made by Google should note that the final “guaranteed” updates for those handsets will be made available in September 2017. After that, Google will only push necessary security fixes to those devices.