The Stagefright vulnerabilities are the gifts that keep on giving.
Months after the potentially devastating security flaws in the mobile OS were publicly disclosed, Google continues to send out patches addressing vulnerabilities related to the initial reports.
Today’s monthly Android security bulletin, the fourth since Google announced at Black Hat this summer it would begin regular patch updates, includes a fix for another flaw in the Stagefright media playback engine, one in libutils where the Stagefright 2.0 vulnerabilities were found, and two in Android Mediaserver where all the vulnerable code runs.
The over-the-air update was released today to Google’s Nexus devices and will be added to the Android Open Source Project (AOSP) repository in the next two days; Google partners including Samsung were provided the patches on Oct. 5, Google said, adding that the vulnerabilities are patched in Build LMY48X or later, or in Android Marshmallow with a patch level of Nov. 1.
Google rated one of the Mediaserver vulnerabilities, CVE-2015-6608, as critical, as it did the libutils flaw, CVE-2015-6609; both allow for remote code execution if exploited.
Mediaserver is a core part of the Android OS and a number of applications that accept remote contact interact with it, Google said, pointing to MMS messaging and media playback via the browser as two examples.
“During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process,” Google said in its advisory. “This issue is rated as a critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.”
The libutils vulnerability, meanwhile, leads to memory corruption that an attacker could exploit to run code remotely.
“The affected functionality is provided as an API and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media,” Google said in its advisory. “This issue is rated as a critical severity issue due to the possibility of remote code execution in a privileged service. The affected component has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.”
Google said it’s unaware of public exploits of any of these vulnerabilities.
Google also said that the critical Mediaserver vulnerability was discovered internally by Abhishek Arya, Oliver Chang and Martin Barbella of the Chrome Security Team, while the libutils flaw was privately reported Aug. 3 by Daniel Micay of Copperhead Security.
Micay told Threatpost he reported in August three vulnerabilities in libutils, two of which lead to code execution are exposed via libstagefright, he said, adding that one, CVE-2015-3875, was already patched in October.
“A libstagefright vulnerability (including one inherited from libutils due to the fact that it uses it) can give an attack remote code execution in the mediaserver process that uses libstagefright. The attack vectors range from media in web pages (browser), media via texts (MMS), downloaded media files (mediaserver automatically scans/analyzes all media files in Android’s shared storage area),” Micay said. “The libutils vulns are more serious because they can also expose vulnerabilities in other areas, such as a way for the attacker to escalate from a compromise of the mediaserver process to root (by attacking system_server, etc.).”
The remaining Mediaserver vulnerability, CVE-2015-6611, is an information disclosure bug that is rated High by Google. Google also patched three elevation of privilege vulnerabilities in libstagefright (CVE-2015-6610), libmedia (CVE-2015-6612), and Bluetooth (CVE-2015-6613), all of which it rated High. The remaining bug, CVE-2015-6614, is an elevation of privilege flaw in Telephony.
The Stagefright vulnerability was privately reported Aug. 19 by Seven Shen of Trend Micro. A local malicious app, Google said, causes memory corruption and paves the way for code execution within Mediaserver; Google said there is a lower likelihood it can be exploited remotely.
The original Stagefright bugs were disclosed by researcher Joshua Drake of Zimperium and was believed to affected more than 950 million Android devices. A second set of vulnerabilities in Stagefright, patched last month affected more than 1 billion devices. Stagefright 2.0, as it was labeled, posed similar risks as the first Stagefright bugs, which were exploited via specially crafted MMS messages that were at the time automatically processed by Stagefright. The Stagefright 2.0 flaws are exploitable instead via the mobile browser, for example, where a victim is sent a link to a URL hosting the exploit, or via a man-in-the-middle attack. Like the first set of attacks, Stagefright 2.0 exploits are a way onto the phone. Stagefright is granted some system-level privileges, giving the attacker the opportunity to elevate their privileges with additional attacks in order to control the device.