Just like any operating system, it's always a progress on the move. No matter how good the developers were in creating it, there are still bugs lurking somewhere around the corner.
In October, Google found another Stagefright vulnerability in its Android operating system, and that is not even the scariest bug Google found since its latest monthly Android update.
On November 2nd, 2015, Google announced that there were seven flaws in different software libraries that are the most concerning. All of which could remote control execution, enabling hackers to send multimedia messages and emails to initiate their attacks.
Google and its Chrome security team found six bugs in Android's 'mediaserver' (CVE-2015-6608) component. The component that processes media files is making one of the critical issues.
Android's services depend heavily on this component in order to process MMS messages, initiating video and music playback, among others. With the flaw in the mediaserver, hackers can exploit a code to attack.
This is similar to Stagefright that enables hackers to exploit vulnerabilities by using a single text.
Another critical bug Google found was in Android's 'libutils' library (CVE-2015-6609). Also in the core part of Android, similar to mediaserver, this is the same component exploited in the Stagefright 2 issue. Also similar to mediaserver, libutils also pose vulnerabilities when dealing with MMS and media playbacks.
Daniel Micay of Toronto-based Copperhead Security was the one who first reported the vulnerability on August 3rd.
A vulnerability (CVE-2015-6610) was also fixed in the 'libstagefright' library, which was separated from Stagefright vulnerabilities reported by Zimperium researcher Joshua Drake earlier. Privilege elevation bugs are also closed in Bluetooth (CVE-2015-6613), the telephone app (CVE-2015-6614), and libmedia (CVE-2015-6612).
Other minor bugs were squashed with a patch during the update. The most frightening were the mediaserver and libutils, as they were rated as high and were a priority. Both represents holes which grant attackers remote code execution.
Attackers can exploit them by sending crafted media files to affected devices.
Google said that it would have given them a critical rating, but there were a "lower likelihood that it can be exploited remotely", but Google didn't explain why.
While Google is able to patch its own Nexus devices, other vendors are notified. In October 5th, Android partners were told about these vulnerabilities. Some of them that include Samsung and LG have committed to update their devices regularly in order to close any gap for exposed vulnerabilities between disclosure and patch release. Others like HTC and Sony are rolling out their own patches in their own time.