Kicking off the first day of November with its fourth monthly Android security bulletin, Google has set up a new roadblock for the Stagefright vulnerability on Nexus devices.
Google just published a package containing patches for two 'critical' and four 'high' vulnerabilities, along with a fix for a 'moderate' flaw. The patches seek to address new Stagefright vulnerabilities that have been dubbed Stagefright 2.0.
The patches for the critical issues both address vulnerabilities that could be exploited to remotely execute code and commands on Android devices.
One of the patches for the four high-severity vulnerabilities sews up a hole for information disclosure, while the other three, along with the moderate-severity backdoor, address flaw that could enable unauthorized elevation of privileges.
"The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," Google said. "We have had no reports of active customer exploitation of these newly reported issues."
Though the patch arrived Nov. 1, Google indicated that it has done its due diligence in alerting its partners of the issues and fixes ahead of time (Oct. 5).
Of the seven patches, five of them address issues Mediaserver, libutils, libmedia and libstagefright, in connection with the notorious Stagefright vulnerability – the other two tackle vulnerabilities with Bluetooth and telephony.
The Stagefright vulnerability seized the attention of the tech world last summer when it was discovered that malicious software, and the hackers behind it, could creep through backdoors in the media playback server.
While hardware and software vendors have sought to catch up with the Stagefright vulnerabilities, Zimperium zLabs, the company that spotted the issue in July, says Stagefright 2.0 recently emerged and was reported at the start of October. The company notified the Android Security Team of the new vulnerabilities back in August.
With Google publishing fixes for its Nexus devices and giving partners a month in lead time, it appears Stagefright 2.0 will have little room to breathe.
