Full Text

Google rolled out its second monthly Android security update earlier this month, but the fixes are only beginning to hit handsets.

The bundle included updates for 15 critical remote code execution flaws related to the Stagefright vulnerability, as well as 15 other vulnerabilities in various Android components, such as the Media Player Framework, Android Runtime, Bluetooth, and Mediaserver. The bugs have been addressed in builds LMY48T and later (such as LMY48W) and Android 6.0 Marshmallow, according to the bulletin posted on the Android Security Updates group.

[ InfoWorld's Mobile Security Deep Dive. Download it today in your choice of PDF or ePub editions! | Keep up on key mobile developments and insights with the Mobile Tech Report newsletter. ]

Google botched the first update fixing Stagefright vulnerabilities over the summer and had to release a second update to actually fix the problem. This latest update, which addressed multiple issues within the libstagefright library, doesn't repeat the mistake.

"As appropriate, Google has updated the Hangouts and Messenger applications so that media is not automatically passed to vulnerable processes (such as mediaserver)," Google said in its bulletin.

What was fixed in LMY48T

The majority of the vulnerabilities fixed in this update could have been exploited when opening a specially crafted media file. The Stagefright vulnerabilities would have allowed an attacker to cause memory corruption and remote code execution in the mediaserver service when opening...