The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Google Android KitKat

weakness note CVE-2014-9082 CVE-2015-3847 CVE-2015-3862

Google Android OS: multiple vulnerabilities of October 2015

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Google Android OS.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 31.
Creation date: 06/10/2015.
Identifiers: CERTFR-2015-AVI-418, CVE-2014-9082, CVE-2015-3847, CVE-2015-3862, CVE-2015-3863, CVE-2015-3865, CVE-2015-3867, CVE-2015-3868, CVE-2015-3869, CVE-2015-3870, CVE-2015-3871, CVE-2015-3872, CVE-2015-3873, CVE-2015-3874, CVE-2015-3875, CVE-2015-3877, CVE-2015-3878, CVE-2015-3879, CVE-2015-6596, CVE-2015-6598, CVE-2015-6599, CVE-2015-6600, CVE-2015-6601, CVE-2015-6602, CVE-2015-6603, CVE-2015-6604, CVE-2015-6605, CVE-2015-6606, CVE-2015-6607, CVE-2015-7716, CVE-2015-7717, CVE-2015-7718, VIGILANCE-VUL-18049.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Google Android OS.

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-3873]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-3872]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-3871]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-3868]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-3867]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-3869]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-3870]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-6598]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-6599]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-6600]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-6601]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-6604]

An attacker can use a vulnerability in Sonivox, in order to run code. [severity:3/4; CVE-2015-3874]

An attacker can use a vulnerability in libutils, in order to run code. [severity:3/4; CVE-2015-3875]

An attacker can use a vulnerability in libutils, in order to run code. [severity:3/4; CVE-2015-6602]

An attacker can use a vulnerability in Skia, in order to run code. [severity:3/4; CVE-2015-3877]

An attacker can use a vulnerability in libFLAC, in order to run code. [severity:3/4; CVE-2014-9082]

An attacker can bypass security features in KeyStore, in order to escalate his privileges. [severity:2/4; CVE-2015-3863]

An attacker can bypass security features in Media Player Framework, in order to escalate his privileges. [severity:2/4; CVE-2015-3879]

An attacker can bypass security features in Android Runtime, in order to escalate his privileges. [severity:2/4; CVE-2015-3865]

An attacker can bypass security features in Mediaserver, in order to escalate his privileges. [severity:2/4; CVE-2015-6596]

An attacker can bypass security features in Secure Element Evaluation Kit, in order to escalate his privileges. [severity:2/4; CVE-2015-6606]

An attacker can bypass security features in Media Projection, in order to escalate his privileges. [severity:2/4; CVE-2015-3878]

An attacker can bypass security features in Bluetooth, in order to escalate his privileges. [severity:2/4; CVE-2015-3847]

An attacker can bypass security features in SQLite, in order to escalate his privileges. [severity:2/4; CVE-2015-6607]

An attacker can trigger a fatal error in Mediaserver, in order to trigger a denial of service. [severity:1/4; CVE-2015-6605]

An attacker can trigger a fatal error in Mediaserver, in order to trigger a denial of service. [severity:1/4; CVE-2015-3862]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-6603]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:3/4; CVE-2015-7716]

An attacker can bypass security features in mediaserver, in order to escalate his privileges. [severity:2/4; CVE-2015-7717]

An attacker can trigger a fatal error in mediaserver, in order to trigger a denial of service. [severity:2/4; CVE-2015-7718]
Full Vigil@nce bulletin... (Free trial)

weakness alert CVE-2015-6575

Google Android OS: integer overflow of libstagefright/SampleTable.cpp

Synthesis of the vulnerability

An attacker can generate an integer overflow in libstagefright of Google Android OS, in order to trigger a denial of service, and possibly to run code.
Severity: 3/4.
Creation date: 02/10/2015.
Identifiers: 20139950, CVE-2015-6575, VIGILANCE-VUL-18027.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Google Android OS product uses the Stagefright multimedia library.

However, if a MP4 size is too large, a multiplication overflows in media/libstagefright/SampleTable.cpp, and an allocated memory area is too short.

An attacker can therefore generate an integer overflow in libstagefright of Google Android OS, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer threat bulletin CVE-2014-7915 CVE-2014-7916 CVE-2014-7917

Google Android OS: three vulnerabilities of libstagefright

Synthesis of the vulnerability

An attacker can use several vulnerabilities of libstagefright of Google Android OS.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 02/10/2015.
Identifiers: 15328708, 15342615, 15342751, CVE-2014-7915, CVE-2014-7916, CVE-2014-7917, VIGILANCE-VUL-18026.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Google Android OS.

An attacker can generate an integer overflow in SampleTable.cpp, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 15328708, CVE-2014-7915]

An attacker can generate an integer overflow in SampleTable.cpp, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 15342751, CVE-2014-7916]

An attacker can generate an integer overflow in SampleTable.cpp, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 15342615, CVE-2014-7917]
Full Vigil@nce bulletin... (Free trial)

cybersecurity vulnerability CVE-2015-3876 CVE-2015-6602

Google Android OS: two vulnerabilities of MP3/MP4

Synthesis of the vulnerability

Two vulnerabilities were announced in the processing of MP3/MP4 documents by Google Android OS.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 01/10/2015.
Identifiers: CVE-2015-3876, CVE-2015-6602, Stagefright 2.0, VIGILANCE-VUL-18019.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Two vulnerabilities were announced in the processing of MP3/MP4 documents by Google Android OS.

An attacker can generate a memory corruption in libutils, in order to trigger a denial of service, and possibly to run code. [severity:1/4; CVE-2015-6602]

An unknown vulnerability was announced. [severity:3/4; CVE-2015-3876]
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2015-1528 CVE-2015-3845 CVE-2015-3849

Google Android OS: seven vulnerabilities of September 2015

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Google Android OS.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 7.
Creation date: 10/09/2015.
Identifiers: CVE-2015-1528, CVE-2015-3845, CVE-2015-3849, CVE-2015-3858, CVE-2015-3860, CVE-2015-3861, CVE-2015-3863, VIGILANCE-VUL-17866.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Google Android OS.

An attacker can bypass security features in Binder, in order to escalate his privileges. [severity:3/4; CVE-2015-3845]

An attacker can bypass security features in Binder, in order to escalate his privileges. [severity:3/4; CVE-2015-1528]

An attacker can bypass security features in Keystore, in order to escalate his privileges. [severity:3/4; CVE-2015-3863]

An attacker can bypass security features in Region, in order to escalate his privileges. [severity:3/4; CVE-2015-3849]

An attacker can bypass security features in SMS, in order to escalate his privileges. [severity:3/4; CVE-2015-3858]

An attacker can bypass security features in Lockscreen, in order to escalate his privileges. [severity:2/4; CVE-2015-3860]

An attacker can trigger a fatal error in Mediaserver, in order to trigger a denial of service. [severity:2/4; CVE-2015-3861]
Full Vigil@nce bulletin... (Free trial)

security threat CVE-2015-1536 CVE-2015-1541 CVE-2015-3831

Google Android OS: multiple vulnerabilities of August 2015

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Android OS.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 11.
Creation date: 09/09/2015.
Identifiers: CVE-2015-1536, CVE-2015-1541, CVE-2015-3831, CVE-2015-3832, CVE-2015-3833, CVE-2015-3834, CVE-2015-3835, CVE-2015-3836, CVE-2015-3837, CVE-2015-3843, CVE-2015-3844, VIGILANCE-VUL-17853.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Android OS.

An attacker can generate a buffer overflow in Sonivox Parse_wave, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-3836]

An attacker can generate a buffer overflow in libstagefright MPEG4Extractor.cpp, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-3832]

An attacker can generate a buffer overflow in mediaserver BpMediaHTTPConnection, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-3831]

An attacker can generate a memory corruption in OpenSSLX509Certificate Deserialization, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-3837]

An attacker can generate a buffer overflow in mediaserver BnHDCP, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-3834]

An attacker can generate a buffer overflow in libstagefright OMXNodeInstance::emptyBuffer, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-3835]

An attacker can capture or inject SIM commands. [severity:2/4; CVE-2015-3843]

An attacker can generate an integer overflow in Bitmap_createFromParcel, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-1536]

An attacker can bypass security features in AppWidgetServiceImpl, in order to escalate his privileges. [severity:2/4; CVE-2015-1541]

An attacker can bypass security features in getRecentTasks, in order to escalate his privileges. [severity:2/4; CVE-2015-3833]

An attacker can bypass security features in ActivityManagerService.getProcessRecordLocked, in order to escalate his privileges. [severity:2/4; CVE-2015-3844]
Full Vigil@nce bulletin... (Free trial)

computer threat alert 17729

Google Android OS: spoofing via Task Hijacking

Synthesis of the vulnerability

An attacker can invite the victim to install a malicious application, which exploits the task system of Google Android OS, in order to deceive the victim, to obtain sensitive information.
Severity: 1/4.
Creation date: 21/08/2015.
Identifiers: VIGILANCE-VUL-17729.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Google Android OS product offers an interface allowing users to perform several tasks simultaneously.

However, a malicious application can spoof the interface of another application, and display it on top, in order to deceive user who is not warned of this window change. Other attack variants are available.

An attacker can therefore invite the victim to install a malicious application, which exploits the task system of Google Android OS, in order to deceive the victim, to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

cybersecurity note CVE-2015-3842

Google Android OS: buffer overflow of AudioEffect

Synthesis of the vulnerability

An attacker can generate a buffer overflow in AudioEffect of Google Android OS, in order to trigger a denial of service, and possibly to run code.
Severity: 2/4.
Creation date: 18/08/2015.
Identifiers: AndroidID-21953516, CVE-2015-3842, VIGILANCE-VUL-17703.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Google Android OS system uses the MediaServer service to process audio effects.

However, if the size of data is greater than the size of the storage array, an overflow occurs.

An attacker can therefore generate a buffer overflow in AudioEffect of Google Android OS, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

weakness alert CVE-2015-3864

Google Android OS: integer overflow of MPEG4Extractor-parseChunk

Synthesis of the vulnerability

An attacker can generate an integer overflow in MPEG4Extractor::parseChunk() of Google Android OS, in order to trigger a denial of service, and possibly to run code.
Severity: 2/4.
Creation date: 14/08/2015.
Identifiers: CVE-2015-3864, VIGILANCE-VUL-17675.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Google Android OS product uses the Stagefright multimedia library.

However, if a MPEG4 fields is too large, an integer overflows, and the MPEG4Extractor::parseChunk() function allocates a memory area which is too short.

An attacker can therefore generate an integer overflow in MPEG4Extractor::parseChunk() of Google Android OS, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

threat alert CVE-2015-2000 CVE-2015-2001 CVE-2015-2002

Android: privilege escalation via Serialization

Synthesis of the vulnerability

A local attacker, or a malicious application, can thus use the Serialization on Android OS, in order to escalate his privileges.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 8.
Creation date: 12/08/2015.
Identifiers: CVE-2015-2000, CVE-2015-2001, CVE-2015-2002, CVE-2015-2003, CVE-2015-2004, CVE-2015-2020, CVE-2015-3825-REJECT, CVE-2015-3837, VIGILANCE-VUL-17645.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A Java class can:
 - be serializable, and
 - contain a finalize method, and
 - contain an attacker-controlled field

However, in this case, an attacker can change the attribute, and thus inject code which is run during the finalize() method by the Android garbage collector.

There are several Java classes with the three required characteristics:
 - the OpenSSLX509Certificate class of Android OS (CVE-2015-3825, CVE-2015-3837)
 - classes from the SDK Jumio (CVE-2015-2000), used by applications built with this SDK
 - classes from the SDK MetaIO (CVE-2015-2001), used by applications built with this SDK
 - classes from the SDK PJSIP PJSUA2 (CVE-2015-2003), used by applications built with this SDK
 - classes from the SDK GraceNote GNSDK (CVE-2015-2004), used by applications built with this SDK
 - classes from the SDK MyScript (CVE-2015-2020), used by applications built with this SDK
 - classes from the SDK esri ArcGis (CVE-2015-2002), used by applications built with this SDK

A local attacker, or a malicious application, can thus use the Serialization on Android OS, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Google Android KitKat: