Google on Monday released a security update for Nexus devices, aimed at resolving recently disclosed critical security vulnerabilities the media playback engine in Android, called Stagefright 2.0.
Disclosed last week by security firm Zimperium, the issues affect libstagefright and libutils, and affect all Android devices, including those running under version 1.0 of the platform, which has was released in 2008. Both of these flaws are rated Critical and could result in remote code execution on the affected devices.
Two vulnerabilities in libutils were patched in Google’s October 2015 Nexus Security Bulletin, featuring Common Vulnerabilities and Exposures (CVE) identifiers CVE-2015-3875 and CVE-2015-6602. Both flaws exist in audio file processing and affect all devices running Android 5.1 and below.
According to Zimperium, issue resides in the processing of metadata within the files, which means that the vulnerability could be triggered even if the user simply previews the compromised MP3 audio or MP4 video file. Older devices running Android are impacted if the vulnerable function in libutils is used via third party apps or pre-loaded vendor or carrier functionality.
To exploit the vulnerability, an attacker would have to push a specially crafted file to the affected device. As soon as the file is processed, it would cause memory corruption and remote code execution in a service that uses the libutils library, including mediaserver. The functionality is used by multiple applications and remote content can reach it via email, MMS, and browser playback.
Newer Google Hangouts and Messenger applications remove the primary attack vector of MMS, which means that an attacker interested in exploiting the vulnerability would need to use the Web browser to execute an attack by convincing a user to visit a URL directing to a malicous Web site.
The issue could also be exploited by an attacker on the same network with the affected device through a Man-in-the-Middle (MiTM) attack through. Additionally, 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library can be exploited.
Google’s new security update for Nexus devices patches 15 vulnerabilities in libstagefright, all of which could be exploited during media file and data processing of a specially crafted file to cause memory corruption and remote code execution. Rated Critical, these vulnerabilities impact all Android 5.1 and below versions.
Overall, 20 security flaws with a Critical severity score have been patched by Google with the new set of updates for Nexus users, all of which existed in media file playback. In addition to libutils and libstagefright, the vulnerabilities also affected components such as Sonivox, Skia, and libFLAC, and can be exploited when processing a specially crafted media file.
In July, Zimperium discovered the Stagefright vulnerability in the Android media playback service and said at the time that it was the worst security flaw in Android, since it affected 950 million devices. Google was fast to release a security fix for it, but discovered only a few weeks later that it did not patch the issue properly.
The new Stagefright 2.0 vulnerability, however, appears to be even more frightening than the one disclosed in July, since it affects even more devices and offers multiple vectors of attack. No proof-of-concept exploit for this new vulnerability is planned for public release as of now, although Zimperium released a PoC exploit for the original vulnerability in early September.
Google says that it hasn’t received reports that the Stagefright 2.0 vulnerabilities are being actively exploited and that it has informed its partners on the existence of the issues several weeks ago. Following the release of the updates for Nexus devices, the source code for the patches will be pushed to the Android Open Source Project (AOSP) repository so that device makers could release updates for their products as well.
The existence of the Stagefright 2.0 vulnerability in Android “highlights a fundamental security issue across the entire software spectrum,” Chris Wysopal, CISO and CTO, Veracode, told SecurityWeek.
Developers looking to accelerate time-to-market often integrate vulnerable code libraries into their applications not knowing that they include security flaws. In the case of Stagefright, developers trust the library because it is the default way of handling media files in Android.
“Patching for Stagefright vulnerabilities seem to continue to be a challenge for the Android community. Google’s done a good job issuing updates, however, waiting for handset manufacturers or carriers to issue a patch has proven to be problematic since many of the 1.0 patches still haven’t been rolled out to end-users. Companies need to manage risk posed by both operating system and application threats using tools such as MDM platforms in conjunction with mobile application security software,” Wysopal said.