Google has released a security update to Nexus devices that patches a critical remote code execution vulnerability, among other issues.
The main flaw allows exploitation on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.
The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.
The issue is eerily similar to the Stagefright vulnerability, which was found to affect 95% of Android devices. One of the most dangerous vulnerabilities to hit the Android scene, Stagefright makes Android devices targets of remote take-over by simply receiving an MMS message or other specially crafted media file, without even having to open or view it. That issue also involved a media library that processes several popular media formats.
The other vulnerabilities addressed in the latest update involve privilege elevation flaws in the Imagination Technologies driver and in the misc-sd driver from MediaTek (among others), that could enable a local malicious application to execute arbitrary code within the kernel; and information disclosure vulnerabilities in the kernel and in Bouncy Castle that could enable a local malicious application to gain access to user’s private information.
Google said in its advisory that it has had no reports of active customer exploitation of the newly reported issues, but that the Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Also, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.
The update was sent out over the air (OTA); users should accept the patch and upgrade to the latest version of the Android operating system.
Photo © Quka/Shutterstock.com