Google on Monday released an over-the-air update for Nexus devices, which includes patches for the latest Stagefright vulnerabilities and other flaws.
Android’s Stagefright media processing feature, which recently imperiled 1 billion devices around the world, was once again putting them at risk, Zimperium revealed last week.
Zimperium found two new vulnerabilities that manifest when Android’s Stagefright media playback engine handles specially crafted MP3 audio or MP video files.
The first vulnerability, which Google named “CVE-2015-6602,” is in libutils. It exists in “all versions of Android since the very first AOSP (Android Open Source Project) code push,” said Zuk Avraham, Zimperium’s CTO.
The second vulnerability, in libstagefright, impacts only devices running Android 5.0 and higher, he told LinuxInsider.
It has been named “CVE-2015-3876,” Google spokesperson Elizabeth Markman said.
Google will post its latest patches to AOSP as well as on its Android Security Updates forum, Markman told LinuxInsider.
No exploit has been found in the wild for either vulnerability, Avraham said.
Fixing the Flaws
Zimperium disclosed the first Stagefright flaw this summer.
Google rolled out a patch but drew criticism almost immediately. It was possible to bypass the patch, according to Exodus.
Despite the reported issue, Google continued to distribute the flawed patch to Android devices through over-the-air updates, the firm said.
By now, though, “the previous issues flagged by Zimperium, Exodus, etc., have already been fixed,” Markman maintained.
Should Android Users Be Afraid?
On more than 85 percent of Android devices, the ASLR, or address space layout randomization, technology is enabled, Android Security Lead Engineer Adrian Ludwig said shortly after news of the first Stagefright flaw surfaced.
ASLR makes it more difficult to exploit bugs, he pointed out, and it’s just one of several technologies that protect Android devices.
ASLR first showed up in Android 4.0, aka Ice Cream Sandwich.
ASLR “is not a secure coding, but rather a feature provided by the operating system to block an important step in the exploitation process,” explained Craig Young, a cybersecurity researcher with Tripwire.
“Zimperium were only able to say that Stagefright v1 was theoretically exploitable for remote code execution on an up-to-date Android Lollipop phone,” he told LinuxInsider. “Turning this from theoretical to practical is a process involving locating at least one additional vulnerability, followed by a nontrivial effort to create a dynamic ROP exploit payload.”
ASLR “can and does generally prevent direct exploitation of memory corruption bugs,” said Young, but it’s “not perfect. For older versions of Android with a separate known vulnerability, it’s possible to get around ASLR if the attacker can reveal memory addresses needed to calculate the location of so-called ROP gadgets.”
There’s always a delay between when Google pushes out an Android patch and when it actually gets to consumers.
That’s because smartphone makers first have to test the patch and ensure it works with their user interfaces and implementations of Android, and carriers also have to test the patch and approve it.
The situation is improving: Some vendors have signed on to a monthly patch requirement with the ability to directly push updates to their devices without carrier restrictions, Young said.
Further, “patches for issues in the October security update were provided to partners on Sept. 10, and we’re working with OEMs and carriers to deliver updates as soon as possible,” Google’s Markman noted.
In the meantime, consumers should use the latest version of the Hangouts and Messenger apps, which “have important changes that prevent automatic, unattended exploitation of vulnerabilities exposed by libstagefright,” advised Zimperium’s Avraham.
They also should apply OS updates as soon as they’re available, and demand updates from their carriers and vendors if they don’t receive them within the next few weeks.
Consumers also should avoid interacting with untrusted parties. Don’t download media from untrusted sources, visit untrusted websites, or connect to unknown WiFi networks without protection, warned Avraham. Finally, ensure that all Web communications are conducted over HTTPS.