Google has re-branded its monthly patch release, bringing a new name and new scope to the newly renamed Android Security Bulletin. While that may be new, the content is definitely familiar.
Once again, critical remote code execution Mediaserver vulnerabilities dominate this month’s patches. Mediaserver has been a front and center security issue since last summer’s Stagefright disclosures. The software serves up media content and interacts with the kernel, making it a tasty target for attacks. Researchers, meanwhile, have called it an “over-privileged” application since it’s granted system access on some devices.
“The crux of the problem here is that we are dealing with a shared multimedia processing library that needs to be able to handle a wide range of different input file types and formats. Stagefright is accessible in a number of different ways and historically media parsers have been riddled with bugs,” said Mike Hanley, director of Duo Labs at Duo Security. “The attack surface is huge, and the rewards are potentially high for a successful attack as mediaserver runs with privileges to many other parts of the device, like the camera and microphone.”
Today’s 32 vulnerabilities were patched on Nexus devices in an over-the-air update, while Google said carriers and manufacturers were sent the updates on April 4. The Android Open Source Project (AOSP) is expected to be updated in the next two days.
Google, meanwhile, has changed the name of the monthly release from the Nexus Security Bulletin to the Android Security Bulletin.
“These bulletins encompass a broader range of vulnerabilities that may affect Android devices, even if they do not affect Nexus devices,” Google said.
It has also updated the criteria making up its severity ratings.
“These changes were the result of data collected over the last six months on reported security vulnerabilities and aim to align severities more closely with real world impact to users,” Google said.
Google, this month, patched two critical vulnerabilities (CVE-2016-2428 and CVE-2016-2429) in Mediaserver, one of a half-dozen bulletins rated critical that cover 12 flaws.
The Mediaserver flaws, privately disclosed by researcher Weichao Sun of Alibaba Inc., lead to memory corruption and expose devices to remote code execution. Versions 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1 are affected, Google said.
Attackers have a number of avenues by which they can exploit these vulnerabilities, most commonly by using malicious MMS and browser playback of media files.
“This issue is rated as Critical severity due to the possibility of remote code execution within the context of the mediaserver service,” Google said. “The mediaserver service has access to audio and video streams, as well as access to privileges that third-party apps could not normally access.”
Google also reported a critical elevation of privilege bug in Debuggerd, the integrated Android debugger. An attacker could exploit this flaw to run arbitrary code in the context of the debugger and could root the device.
Privilege escalation vulnerabilities were also patched in the Qualcomm TrustZone and the Qualcomm Wi-Fi driver, all four of which could also root devices and enable an attacker to run arbitrary code with permissions afforded the TrustZone kernel.
Google also patched four similar rooting vulnerabilities in the NVIDIA Video Driver, affecting Nexus 9 devices.
There are also a dozen bulletins addressing 19 vulnerabilities given a “high” severity rating. Remote code execution vulnerabilities in the Android kernel and Bluetooth were patched. The kernel bug first requires compromise of a privileged service in order to exploit the bug in the audio subsystem, while the Bluetooth flaw allows for remote code execution during initialization of a Bluetooth device.
Most of the remaining vulnerabilities rated “high” were elevation of privilege issues, five of which are in Mediaserver, in addition to the Qualcomm Busmp Driver, MDP Driver and Wi-Fi Driver. Other elevation of privilege bugs were fixed in the NVIDIA Video Driver, Wi-Fi, the MediaTek Wi-Fi Driver. Google also patched in information disclosure flaw in the Qualcomm Tethering Controller, and a remote denial-of-service vulnerability in the Qualcomm Hardware Codec.
The flaws rated moderate are in Conscrypt, OpenSSL and Boring SSL, MediaTek Wi-Fi Driver, Wi-Fi, AOSP Mail, Mediaserver, and a low-rated DoS bug in the kernel.