Google has patched ‘Stagefright 2.0’ – two new critical remote code execution vulnerabilities, one of which affects almost every Android device since 2008.
Security firm Zimperium, which discovered the first Stagefright flaws back in April, claimed in a blog post that the new vulnerabilities “manifest when processing specially crafted MP3 audio or MP4 video files.”
It added:
“The first vulnerability (in libutils) impacts almost every Android device since version 1.0 released in 2008. We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright). Google assigned CVE-2015-6602 to vulnerability in libutils.”
The second critical flaw is CVE-2015-3876 in libstagefright.
The flaws apparently lie in the processing of metadata in the files, so even previewing a song or video would lead to infection.
The most likely attack vector is the web browser.
A malvertising campaign or spear phishing link could trick the user into visiting a malicious website, or attackers could inject the exploit “using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser,” Zimperium claimed.
A third way to get infected would be via third-party apps using the vulnerable library.
On the plus side, Google is claiming that the bugs have not yet been exploited in the wild.
It released a security update to Nexus devices over the air (OTA) on Monday, but there’s no indication when its handset partners may implement their own versions.
Google said it would release source code patches to the Android Open Source Project repository “over the next 48 hours.”
The Mountain View giant revealed in August that it would be switching to a monthly patching update round for Android – the Android Security Bulletin Monthly Release.
This bulletin contained patches for a total of 30 vulnerabilities, 20 of which are critical, five high, three moderate and two low severity.