Android Stagefright Vulnerability Not Patched Properly by Google

A patch released by Google for one of the recently disclosed Stagefright vulnerabilities affecting the Android mobile operating system is flawed, researchers have warned.

Earlier this year, researchers at mobile security firm Zimperium identified several vulnerabilities in the Stagefright library used in Android (libstagefright) and other software such as Mozilla Firefox. The security holes affect all Android versions since 2.2, but releases prior to 4.1 Jelly Bean are the most exposed because Address Space Layout Randomization (ASLR) mitigations are not properly implemented.

When the issues were disclosed in late July, experts estimated that roughly 950 million Android devices were affected by remote code execution flaws, some of which could be exploited simply by sending an MMS message to the targeted device.

The Stagefright vulnerabilities have been assigned the following CVE identifiers: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829.

On August 5, Google started releasing over-the-air (OTA) security updates for Nexus 4,5,6,7,9,10 and Nexus Player devices to address most of these flaws. However, shortly after the search giant started distributing the patches, researchers at Exodus Intel confirmed their suspicion that the fix for an integer overflow triggered in libstagefright during MPEG4 tx3g data processing (CVE-2015-3824) was flawed.

The patch for this potential remote code execution vulnerability, consisting of only four changed lines of code, was provided to Google by Joshua Drake, the Zimperium researcher who uncovered the Stagefright flaws. Drake said the search giant accepted his patches within 48 hours after being submitted.

Google has confirmed that the fix for the integer overflow vulnerability does not work as intended and assigned the CVE-2015-3864 identifier to the new issue. However, as of August 13, the company was still pushing out the updates containing the buggy patch.

The search giant says it has already provided a fix to its partners. The company intends to send out the new patch to Nexus 4,5,6,7,9,10 and Nexus Player devices with the September OTA updates.

“Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?” Exodus Intel wrote in a blog post.

Several serious flaws have been found in Android over the past weeks. Earlier this month, researchers at IBM disclosed several serialization vulnerabilities that can be exploited by malicious apps to escalate privileges, allowing attackers to take control of devices.

The large number of vulnerabilities and the fact that it takes a lot of time for patches to reach devices due to the fragmentation of the ecosystem have made Android a tempting target for cybercriminals. Device manufacturers have started to acknowledging the importance of time sensitivity when it comes to addressing critical vulnerabilities, which is why Google, Samsung and other companies recently promised to provide regular security updates.