This week the latest batch of over-the-air security updates started rolling out to Nexus devices, most going under version LMY48M. Google also posted the goods online in the form of factory images. The company then went on to provide a list of the security fixes.
Eight make the list, with one having actually been exploited in the wild. Though whether this was used maliciously or just someone rooting their own device is unclear. None of the vulnerabilities are newly disclosed.
|Remote Code Execution Vulnerability in Mediaserver||CVE-2015-3864||Critical||No|
|Elevation of Privilege Vulnerability in Kernel||CVE-2015-3636||Critical||Yes|
|Elevation of Privilege Vulnerability in Binder||CVE-2015-3845, CVE-2015-1528||High||No|
|Elevation of Privilege Vulnerability in Keystore||CVE-2015-3863||High||No|
|Elevation of Privilege Vulnerability in Region||CVE-2015-3849||High||No|
|Elevation of Privilege vulnerability in SMS enables notification bypass.||CVE-2015-3858||High||No|
|Elevation of Privilege Vulnerability in Lockscreen||CVE-2015-3860||Moderate||No|
|Denial of Service Vulnerability in Mediaserver||CVE-2015-3861||Low||No|
According to Ars Technica, the two critical fixes address vulnerabilities found in the libstagefright Android media library. These allowed users to execute harmful code on users' devices, and Google has been working with device manufacturers and carriers to get on top of the issue over the past several months.
These updates come just as Zimperium Mobile Security has released proof of concept code showing how the Stagefright vulnerabilities could be exploited.
Mitigation Techniques Used To Prevent Exploitation:
- Remote exploitation for many issues on Android versions 4.1 (Jelly Bean) and higher is mitigated by enhancements in the Address Space Layout Randomization (ASLR) algorithm used in those versions. Android 5.0 improved ASLR by requiring PIE (position-independent executable) for all dynamically linked executables further strengthening the ASLR protection. We encourage all users to update to the latest version of Android where possible.
- The Android Security team is actively monitoring for abuse of issues with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Device “rooting” tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known Rooting applications. Verify Apps will block installation of known “malicious” applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will attempt to automatically remove any such applications and notify the user.
- As appropriate, Google has updated the Hangouts and Messenger applications so that media is not automatically passed to vulnerable processes (such as Mediaserver.)
For more on what's changed in the latest updates, check out the latest entry in our AOSP Changelog series and the source link below.