Google has released fixes for a long list of vulnerabilities in Android, including 10 critical flaws that could lead to remote code execution.
All of the critical vulnerabilities fixed in Android’s August security update are in the operating system’s media framework. Google doesn’t provide many details about the vulnerabilities fixed in Android any longer, but these flaws can be exploited through the use of a malicious file, the company said.
“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” the Android bulletin says.
Among the other flaws fixed this month is an issue with the Broadcom chips in some Android devices. This vulnerability appears to be distinct from the Broadpwn flaw that Google and Apple both patched last month. That bug enabled an attacker to compromise a target device with one WiFi probe request. Nitay Artenstein, the researcher who discovered Broadpwn, said in a talk at Black Hat last month that the vulnerability was simple to exploit.
“I can send one probe request and trigger the bug. It’s enough just for your phone to be in your pocket and it will work,” he said.
In the August update, Google also patched five elevation-of-privilege vulnerabilities in the Android kernel, all of which could allow a malicious app to execute code in the context of a privileged process.