Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Patches Stagefright 2.0 Flaws on Nexus Devices

Google on Monday released a security update for Nexus devices, aimed at resolving recently disclosed critical security vulnerabilities the media playback engine in Android, called Stagefright 2.0.

Google on Monday released a security update for Nexus devices, aimed at resolving recently disclosed critical security vulnerabilities the media playback engine in Android, called Stagefright 2.0.

Disclosed last week by security firm Zimperium, the issues affect libstagefright and libutils, and affect all Android devices, including those running under version 1.0 of the platform, which has was released in 2008. Both of these flaws are rated Critical and could result in remote code execution on the affected devices.

Two vulnerabilities in libutils were patched in Google’s October 2015 Nexus Security Bulletin, featuring Common Vulnerabilities and Exposures (CVE) identifiers CVE-2015-3875 and CVE-2015-6602. Both flaws exist in audio file processing and affect all devices running Android 5.1 and below.

According to Zimperium, issue resides in the processing of metadata within the files, which means that the vulnerability could be triggered even if the user simply previews the compromised MP3 audio or MP4 video file. Older devices running Android are impacted if the vulnerable function in libutils is used via third party apps or pre-loaded vendor or carrier functionality.

To exploit the vulnerability, an attacker would have to push a specially crafted file to the affected device. As soon as the file is processed, it would cause memory corruption and remote code execution in a service that uses the libutils library, including mediaserver. The functionality is used by multiple applications and remote content can reach it via email, MMS, and browser playback.

Newer Google Hangouts and Messenger applications remove the primary attack vector of MMS, which means that an attacker interested in exploiting the vulnerability would need to use the Web browser to execute an attack by convincing a user to visit a URL directing to a malicous Web site.

The issue could also be exploited by an attacker on the same network with the affected device through a Man-in-the-Middle (MiTM) attack through. Additionally, 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library can be exploited.

Google’s new security update for Nexus devices patches 15 vulnerabilities in libstagefright, all of which could be exploited during media file and data processing of a specially crafted file to cause memory corruption and remote code execution. Rated Critical, these vulnerabilities impact all Android 5.1 and below versions.

Advertisement. Scroll to continue reading.

Overall, 20 security flaws with a Critical severity score have been patched by Google with the new set of updates for Nexus users, all of which existed in media file playback. In addition to libutils and libstagefright, the vulnerabilities also affected components such as Sonivox, Skia, and libFLAC, and can be exploited when processing a specially crafted media file.

In July, Zimperium discovered the Stagefright vulnerability in the Android media playback service and said at the time that it was the worst security flaw in Android, since it affected 950 million devices. Google was fast to release a security fix for it, but discovered only a few weeks later that it did not patch the issue properly.

The new Stagefright 2.0 vulnerability, however, appears to be even more frightening than the one disclosed in July, since it affects even more devices and offers multiple vectors of attack. No proof-of-concept exploit for this new vulnerability is planned for public release as of now, although Zimperium released a PoC exploit for the original vulnerability in early September.

Google says that it hasn’t received reports that the Stagefright 2.0 vulnerabilities are being actively exploited and that it has informed its partners on the existence of the issues several weeks ago. Following the release of the updates for Nexus devices, the source code for the patches will be pushed to the Android Open Source Project (AOSP) repository so that device makers could release updates for their products as well.

The existence of the Stagefright 2.0 vulnerability in Android “highlights a fundamental security issue across the entire software spectrum,” Chris Wysopal, CISO and CTO, Veracode, told SecurityWeek.

Developers looking to accelerate time-to-market often integrate vulnerable code libraries into their applications not knowing that they include security flaws. In the case of Stagefright, developers trust the library because it is the default way of handling media files in Android.

“Patching for Stagefright vulnerabilities seem to continue to be a challenge for the Android community. Google’s done a good job issuing updates, however, waiting for handset manufacturers or carriers to issue a patch has proven to be problematic since many of the 1.0 patches still haven’t been rolled out to end-users. Companies need to manage risk posed by both operating system and application threats using tools such as MDM platforms in conjunction with mobile application security software,” Wysopal said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.