Stagefright 2.0, as it’s come to be known, affected the Stagefright media playback engine in Android and one billion devices dating back to the earliest versions of the OS are thought to be vulnerable. Researcher Joshua Drake of Zimperium disclosed the flaws last week after privately reporting them to Google. Drake discovered the initial set Stagefright issues and disclosed those at the Black Hat and DEF CON conferences this summer; the same timeframe when those vulnerabilities were patched and Google announced the start of its monthly OTA updates.
A Google spokesperson said last week that patches were provided to partners on Sept. 10 and that it was working with OEMs and carriers to deliver those updates as soon as possible.
Google said that new Nexus firmware images were released to the Google Developer website in builds LMY48T or later.
The Stagefright vulnerabilities merit attention not only for the breadth of devices they affect, but for the simplicity in which they could be exploited. Stagefright 1.0, for example, need only a specially crafted MMS message to be automatically processed by the Stagefright engine to exploit the vulnerability. Google has since patched that attack vector in its Messenger and Hangouts apps.
In the latest set of flaws, an attacker would need to entice the victim to use a mobile browser via phishing or malvertising to surf to a website hosting an exploit—in the case of Stagefright 2.0, specially crafted audio files. Attackers could also man-in-the-middle a user’s traffic and inject the exploit, or trick the user into downloading a third-party app that uses the vulnerable library.
The Stagefright 2.0 vulnerabilities were found in a core Android library called libtuils, while the second, a dependent vulnerability in libstagefright, was introduced in Android 5.0; it calls into libutils in an vulnerable manner.
Google said today it still has not had reports of public exploits.
“The affected functionality is provided as an application API and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media,” Google said of the libutils bugs.
In all, 15 vulnerabilities were patched in libstagefright, and the two in libutils; 30 vulnerabilities were patched today.
Google also patched critical vulnerabilities in a number of other components, many of which enable remote code execution via media files in components such as Sonivox, libFLAC, Skia, Media Player Framework and Mediaserver.
A privilege elevation vulnerability was also patched in KeyStore, which could be abused by a malicious app calling into a KeyStore API causing memory corruption and code execution.
A similar privilege elevation bug was also fixed in Android Runtime, enabling elevated privileges in Signature or SignatureOrSystem that are not generally available to third-party apps.
Google also patched lower-severity bugs in Secure Element Evaluation Kit, Media Projection component, Bluetooth and SQLite.