Google has released details for "Android Security Bulletin Monthly Release" for November, fixing security vulnerabilities in Android.
The monthly security patches ensures the devices are protected against the latest security flaws. There are seven security vulnerabilities in Android, two of which it rated "critical." It is described in the bulletin as "critical" because the vulnerability targets a core part of the Android software, which has access to permissions that third-party apps cannot normally access.
The updates are part of Google's recently introduced monthly patch cycle. They are now available to Nexus devices running both Android 5.1 (Lollipop) and 6.0 (Marshmallow), PCWorld reported. The source code for the fixes will also be added to the Android Open Source Project (AOSP) over the next 48 hours.
The most serious flaws patched in this release are tracked as CVE-2015-6608 and CVE-2015-6609, and are located in the mediaserver and libutils components of Android, respectively. Both vulnerabilities can be exploited remotely through specially crafted media files, affecting all versions of Android. Hackers could remotely exploit the vulnerabilities in multiple ways, including sending MMS messages and tricking users to play media in the browser.
The patch includes bugs reported by Trend Micro, System Security Lab and Keen Team, and Google's internal security teams. Partners were notified of the bugs and the patches will be published to the Android Open Source Project's code repository, according to The Verge.
Google adds Verify Apps and SafetyNet services that monitor for potentially harmful applications, disabling automatic media processing in applications like Google Hangouts and Messenger, and anti-exploitation techniques present in newer versions of Android.