Google fixes Android bugs, including lingering Mediaserver flaw

Google continues its monthly security update cycle for Android, fixing nearly 20 vulnerabilities in the latest bulletins

Google addressed 19 security vulnerabilities, seven of them rated critical, in its latest Android security update. 

The updates addressed critical security vulnerabilities in the keyring component, MediaTek Wi-Fi Driver, Conscrypt, the libvpx library, Mediaserver component, and the Qualcomm Performance component. The most severe vulnerability is the remote code execution flaw in Mediaserver that could be exploited through multiple methods, including email, Web browsing, and MMS, when processing maliciously crafted media files.

Mediaserver still vulnerable

Google has patched more than two dozen Mediaserver flaws since August, when the original Stagefright flaw was disclosed. Since then, Google's internal security team has been identifying and fixing other security vulnerabilities scattered throughout the rest of the Mediaserver and the libstagefright library code.

The steady stream of Mediaserver vulnerabilities has slowed, as this month's update fixed only two critical flaws (CVE 2016 0815, CVE 2016 0816) and three high-priority issues in Mediaserver.

"During the media file and data processing of a specially crafted file, vulnerabilities in Mediaserver could allow an attacker to cause memory corruption and remote code execution as the Mediaserver process," wrote Google in the security bulletin.

Google also patched an information disclosure vulnerability in libstagefright (CVE 2016 0824), two elevation of privilege vulnerabilities in Mediaserver (CVE 2016 0826, CVE 2016 0827), and two information disclosure vulnerabilities in Mediaserver (CVE-2016-0828, CVE 2016-0829). They are all rated as high priority because they cannot be used for remote code execution, but they can be used by attackers to gain elevated capabilities, such as Signature or SignatureOrSystem permissions, which most third-party apps should not have access to. The information disclosure flaws can be used to bypass security measures, while the elevation of privilege flaw could be used by a malicious app to execute arbitrary code.

The critical flaw in libvpx (CVE 2016 1621) is related to previous Mediaserver vulnerabilities, as attackers could exploit this issue to cause memory corruption and remote code execution as the mediaserver process. The flaw can be triggered with remote content, such as MMS messages or playing media files through the browser.

Multiple elevation of privilege bugs fixed

The remaining critical vulnerabilities are elevation of privilege flaws. The Conscrypt bug (CVE 2016 0818) could allow a specific type of invalid certificate to be trusted, resulting in a man-in-the-middle attack. A malicious app could trigger the flaw in the Qualcomm performance component (CVE 2016-0819) to execute arbitrary code in the kernel. The only way to repair the compromised device would be by re-flashing the operating system. The Kernel Keyring bug (CVE 2016-0728) will also let a malicious app execute arbitrary code locally, requiring reflashing the operating system. However, the Kernel Keyring component is protected in Android versions 5.0 and above because SELinux rules prevent third-party applications from accessing the vulnerable code, according to the bulletin.

The final critical vulnerability in the MediaTek Wi-Fi kernel driver (CVE 2016 0820) could also be abused by a malicious app. While another MediaTek flaw (CVE 2016 0822) could result in arbitrary code execution, it was rated only as high priority because the attacker would first have to compromise the conn_launcher service, "which may not even be possible," Google said.

The patches for Qualcomm and MediaTek components are posted on the Google Developer site and not in the Android Open Source Project repository.

High priority and medium priority bugs also addressed

Google fixed a mitigation bypass vulnerability in the kernel (CVE 2016 0821) that could let attackers bypass security measures in place. The vulnerability is related to a change made to poison pointer values in the Linux kernel back in September. The updates also addressed an information disclosure vulnerability in the kernel (CVE 2016 0823) that could result in malicious apps locally bypassing exploit mitigation technologies like ASLR in a privileged process. The bug was also fixed in the Linux upstream back in March 2015.

The information disclosure vulnerability in the Widevine Trusted Application component could allow code running in the kernel context to access information in TrustZone secure storage, Google said in its bulletin. Like the high-priority Mediaserver flaws, this bug could be used to gain permissions typically not granted to third-party apps. The final high-priority bug is a remote denial-of-service flaw in Bluetooth that could allow an attacker within a certain distance of the target device to block access. The attacker could cause an overflow of identified Bluetooth devices in the component, leading to memory corruption and service stop. The issue could potentially only be fixed by flashing the device, Google said.

The two moderate-priority bugs are in the Telephony component and the Setup Wizard. The information disclosure vulnerability in the telephony component could allow an app to access sensitive data on the device. The elevation of privilege vulnerability in Setup Wizard can be exploited by an attacker who has physical access to the device and can perform a manual device reset.

Patch if possible

None of these issues have been exploited in the wild.

Builds LMY49H or later and Android M with Security Patch Level of "March 01, 2016" or later contain fixes for these issues. The Build information is available through the Settings app on Android devices, under the About phone option. The Security Patch Level is shown in the same location on Android M devices and some Samsung devices running the latest Lollipop versions.

Since phone makers and carriers control when the updates are actually pushed to Android devices, for most users, the best ways to stay up-to-date with the security fixes are to buy Nexus devices, upgrade to newer devices frequently, or install custom Android versions themselves.

Partners, including handset makers and phone carriers, received the bulletin on Feb. 1. The Nexus devices will receive over-the-air updates and the patches are expected to be posted to the Android Open Source Project repository. Non-Nexus devices will follow schedules determined by the manufacturers or the carriers. While Samsung has committed to updates for its latest models, many Android phones remain on older versions.

Google's Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet, which both warn users of potentially harmful applications about to be installed.

Introduced in Android 4.2, Verify Apps works by scanning all .apk packages downloaded from Google Play and other sources for potentially harmful applications. "Google's systems use machine learning to see patterns and make connections that humans would not," Elena Kovakina, a senior security analyst at Google, said in Febrary at the Kaspersky Lab Security Analyst Summit.

Verify Apps scan for known attack vectors and scenarios such as phishing, rooting operations, ransomware, backdoors, spyware, harmful sites, SMS fraud, WAP fraud, and call fraud. Because it's enabled by default, most malicious attacks are thwarted, Kovakina said. An example is the recent Lockdroid malware, which could have affected a large percentage of Android devices, but turned out to have not infected any Android users.

Even if users can't update their Android devices to the latest versions, the SafetyNet and Verify Apps features filter out the majority of bad apps which could take advantage of these flaws.

Join the CSO newsletter!

Error: Please check your email address.

Tags Google

More about GoogleKasperskyLinuxQualcommSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place