Share

tweet



Google has corrected a number of vulnerabilities in Android 6.0 Marshmallow

Google has released security bulletin for Android 6.0 Marshmallow, in which was fixed seven vulnerabilities. Two flaws allows a remote user to compromise a system.

The manufacturer assigned the highest (Critical) level of risk to the vulnerabilities CVE-2015-6608 and CVE-2015-6609. Gaps exist because of errors in the libutils library and in the libmediaserver service and allows to cause a memory corruption that lead to system compromise. Vulnerabilities affects all versions of Android, starting with Android 4.4 KitKat and ending Android 6.0 Marshmallow.

The vulnerability CVE-2015-6611 is caused due to an unspecified error in libmediaserver and allows attackers to disclose sensitive data. The vulnerability has been assigned a high-level (Critical) of risk. The flaw can be used on Android 5.1 Lollipop and later versions.

Vulnerabilities CVE-2015-6610, CVE-2015-6612 and CVE-2015-6614 exist because of errors in the components libstagefright, libmedia, Bluetooth and Telephony. Local malicious apps can obtain elevated privileges.

All holes have been fixed in the update for LMY48X Android 6.0 Marshmallow.

Multiple vulnerabilities in the Google Android

Danger level: 2 Critical and 5 High severity

Availability correction: Yes

The number of vulnerabilities: 7

CVE ID:

CVE-2015-6608 – The Critical vulnerability (it can be exploited remotely)

CVE-2015-6609 – The Critical vulnerability (it can be exploited remotely)

CVE-2015-6611 – The High level vulnerability

CVE-2015-6610 – The High level vulnerability

CVE-2015-6612 – The High level vulnerability

CVE-2015-6613 – The High level vulnerability

CVE-2015-6614 – The Moderate level vulnerability

Impact: Disclosure of sensitive data, privilege escalation, system compromise

Affected Products: Google Android 6.0.x

Affected versions: Google Android 6.0.x (Builds LMY48X or later)

Vulnerabilities Description

These vulnerabilities allows a remote user to elevate privileges to disclose important information and compromise a system.

[CVE-2015-6608] This vulnerability is caused due to an memory corruption error in libmediaserver. A remote user can compromise the system via a specially crafted file.

[CVE-2015-6609] Vulnerabilities is caused due to an memory corruption error in libmediaserver during audio file processing. It could allow an attacker remote code execution on target system.[CVE-2015-6611] A vulnerability is caused due to an unspecified error in libmediaserver. This can be exploited to disclose sensitive data.

[CVE-2015-6610] An memory corruption error in the libstagefright service ;

; [CVE-2015-6612] An unknown error in the libmedia library ;

; [CVE-2015-6613] An unknown error in the Bluetooth component ;

; [CVE-2015-6614] An unknown error in the Telephony component.

[CVE-2015-6610; CVE-2015-6612; CVE-2015-6613; CVE-2015-6614] These vulnerabilities are caused due to errors in the following components:

Local malicious application could elevate of privileges.

Solution: Install the update from the manufacturer website.

Links:

Manufacturer URL: http://android.com

Nexus Security Bulletin: https://groups.google.com/forum/#!topic/android-security-updates/n1aw2MGce4E