Google Pushes Stagefright 2.0 Patches to Nexus Devices

Google’s latest monthly over-the-air update for its Nexus Android devices include patches for the most recent vulnerabilities in Stagefright.

Google today patched the latest round of Stagefright vulnerabilities in Android, pushing them out as part of its latest over-the-air update to Nexus devices.

Stagefright 2.0, as it’s come to be known, affected the Stagefright media playback engine in Android and one billion devices dating back to the earliest versions of the OS are thought to be vulnerable. Researcher Joshua Drake of Zimperium disclosed the flaws last week after privately reporting them to Google. Drake discovered the initial set Stagefright issues and disclosed those at the Black Hat and DEF CON conferences this summer; the same timeframe when those vulnerabilities were patched and Google announced the start of its monthly OTA updates.

A Google spokesperson said last week that patches were provided to partners on Sept. 10 and that it was working with OEMs and carriers to deliver those updates as soon as possible.

Google said that new Nexus firmware images were released to the Google Developer website in builds LMY48T or later.

The Stagefright vulnerabilities merit attention not only for the breadth of devices they affect, but for the simplicity in which they could be exploited. Stagefright 1.0, for example, need only a specially crafted MMS message to be automatically processed by the Stagefright engine to exploit the vulnerability. Google has since patched that attack vector in its Messenger and Hangouts apps.

In the latest set of flaws, an attacker would need to entice the victim to use a mobile browser via phishing or malvertising to surf to a website hosting an exploit—in the case of Stagefright 2.0, specially crafted audio files. Attackers could also man-in-the-middle a user’s traffic and inject the exploit, or trick the user into downloading a third-party app that uses the vulnerable library.

The Stagefright 2.0 vulnerabilities were found in a core Android library called libtuils, while the second, a dependent vulnerability in libstagefright, was introduced in Android 5.0; it calls into libutils in an vulnerable manner.

Google said today it still has not had reports of public exploits.

“The affected functionality is provided as an application API and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media,” Google said of the libutils bugs.

In all, 15 vulnerabilities were patched in libstagefright, and the two in libutils; 30 vulnerabilities were patched today.

Google also patched critical vulnerabilities in a number of other components, many of which enable remote code execution via media files in components such as Sonivox, libFLAC, Skia, Media Player Framework and Mediaserver.

A privilege elevation vulnerability was also patched in KeyStore, which could be abused by a malicious app calling into a KeyStore API causing memory corruption and code execution.

A similar privilege elevation bug was also fixed in Android Runtime, enabling elevated privileges in Signature or SignatureOrSystem that are not generally available to third-party apps.

Google also patched lower-severity bugs in Secure Element Evaluation Kit, Media Projection component, Bluetooth and SQLite.

Suggested articles

cisco critical patch

Cisco Patches High-Severity Flaws in IP Phones

The most serious vulnerabilities in Cisco’s 8800 Series IP Phones could allow unauthenticated, remote attackers to conduct a cross-site request forgery attack or write arbitrary files to the filesystem.

Discussion

  • BT7474 on

    Far too little, far too late. Google and Partners are still in a state of denial: How many people out of about 95% = 950 million Android Devices do you think have got the expertise to find Stagefright, especially when it can delete any trace of itself actually infecting a person's Android Device. If Google was that competent with the number of experts it has then why didn't it find it in the first place? Why did Google and its Partners took far too long to provide a solution to consumers, and also how much longer (months years ever receiving) a proper solution? It appears that the security services have been using Stagefright for years: It is about time that Google and Partners woke up and smelt the coffee: http://www.bbc.co.uk/iplayer/episode/b06h7j3b/panorama-edward-snowden-spies-and-the-law

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.