More than a billion mobile devices are affected by a set of two new critical vulnerabilities in Android's Stagefright code that can be exploited by an attacker to take complete control of a device, and as of Thursday patches are not available for users.
Disclosed by Zimperium researchers in July, the original Stagefright issue was several critical remote code execution vulnerabilities in Android's Stagefright code that could be exploited on an estimated 950 million devices by simply sending an MMS message with specially crafted media attached.
Although Google has since taken action to minimise the threat posed by the MMS message vector, this latest pair of vulnerabilities – identified again by Zimperium's Joshua Drake – is considered to be just as critical.
The two bugs manifest when processing specially crafted MP3 audio or MP4 video files, and altogether more than a billion Android devices are at risk, a Thursday post said.
One vulnerability is in ‘libutils' and it affects nearly every Android device since version 1.0 was released in 2008, the post said. The aforementioned bug could be triggered on devices running Android version 5.0 and higher using the second flaw, which is in ‘libstagefright.'
Drake, Zimperium zLabs vice president of platform research and exploitation, told SCMagazineUK.com in an email that the vulnerabilities allow remote arbitrary code execution, which enables taking control of the mediaserver process.
“This allows accessing several privileged subsystems and in some cases provides access to the system group,” Drake said. “Additionally, the attacker gains a foothold, from which they could conduct further local privilege escalation attacks and take complete control of the device.”
Since Google updated Hangouts and Messenger to remove the automatic processing of media received by MMS, Drake – who noted that Zimperium has not observed attacks in the wild – said that potential attackers will now have to rely on other exploitation vectors.
“A more likely attack vector at this point is via the Web browser,” Drake said. “An attacker can send a URL and if their target clicks it they can be compromised without any further user interaction. To increase impact an attacker could easily send the URL to a multitude of targets. Further, an on-path attacker could eliminate the need for user interaction using a man-in-the-middle (MITM) attack.”
According to a Google statement emailed to SCMagazineUK.com on Thursday, the issues reported by Drake will be included in the October Monthly Security Update for Android, which is scheduled to be released on 5 October.
On that upcoming date, the fix will be made in Android Open Source Project (AOSP) and patches for the vulnerabilities will roll out to Nexus users, the statement noted. Additionally, patches for issues in the October update were provided to partners on 10 September, and Google is working with OEMS and carriers to push updates as soon as possible.
Trey Ford, Global Security Strategist Rapid7 emailed SCMagazineUK.com to comment: “The challenge that the mobile community faces is somewhat tied to the lack of portability between carriers (at least in the United States). When you buy a handset from the carrier, that discounted purchase is subsidised by the carrier contract. The carriers have a custom software build, with their own ‘out of box experience' with special licencing agreements, software features and promotions. This process exacerbates an already complex supply chain. Carriers have inadvertently complicated the hardware supply chain with additional software on multiple hardware platforms, making their quality assurance testing process extremely complicated and slow."
Ford says, “The advice I give friends and family is to buy handsets that allow for updates directly from the manufacturer. For those who love Android - buy directly from Google to remove the carrier-introduced delay when Android releases a security patch. For Google, this is an ecosystem problem. Google manages Android, and does a respectable job shipping patches. They deliver to the carriers ...before those patches are certified and delivered over the air to the devices. In other cases, they don't bother, as the handset life expectancy is so brief for the consumer. Discerning consumers are paying attention, they want to keep their patches up to date!”