Good news if you’ve got a Nexus, otherwise you’re at risk
Another month, another patching cycle for Android.
Google’s mobile OS has picked up seven critical patches, ten classed as high priority, and a pair of moderately important fixes.
In short, playing back a booby-trapped video or receiving a message with malware hidden in it could lead to malicious code running on a vulnerable Android device that hasn’t been patched.
“We have had no reports of active customer exploitation of these newly reported issues,” the March advisory states.
“Partners were notified about the issues described in the bulletin on February 1, 2016 or earlier.
Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours.”
Most of the critical flaws were found by Google’s internal security team, and nearly half deal with programming blunders in Android’s Swiss-cheese-like mediaserver library, some directly and some indirectly via libvpx.
Being able to inject malware into mediaserver, via a message or video, is bad because, according to Google, “the mediaserver service has access to audio and video streams as well as access to privileges that third-party apps could not normally access.”
A critical flaw in Qualcomm’s implementation on Android would also lead to a permanent root that would require re-flashing the operating system to fix.
The same drastic fix would also be needed if the kernel keyring component flaw isn’t fixed.
Meanwhile, moves to strengthen Android against the attacks involving libstagefright only get a high severity rating, as do yet more fixes for Mediaserver.
The full list of bugs – some reaching as far back as Android 4.4 as well as versions 5 and 6 – are below:
Remote Code Execution Vulnerability in Mediaserver
Remote Code Execution Vulnerabilities in libvpx
Elevation of Privilege in Conscrypt
Elevation of Privilege Vulnerability in the Qualcomm Performance Component
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver
Elevation of Privilege Vulnerability in Keyring Component
Mitigation Bypass Vulnerability in the Kernel
Elevation of Privilege in MediaTek Connectivity Driver
Information Disclosure Vulnerability in Kernel
Information Disclosure Vulnerability in libstagefright
Information Disclosure Vulnerability in Widevine
Elevation of Privilege Vulnerability in Mediaserver
Information Disclosure Vulnerability in Mediaserver
Remote Denial of Service Vulnerability in Bluetooth
Information Disclosure Vulnerability in Telephony
Elevation of Privilege Vulnerability in Setup Wizard
The vast majority of Android users aren’t going to be getting these updates soon enough, however. Nexus owners will get a push this week, and Samsung’s better than most at pushing out fixes, but some other handset owners may carry these flaws until they upgrade their hardware.
In the meantime, the malware writers will be getting busy reverse-engineering the Android patches and designing code to exploit the flaws.
In the PC sphere this can take as little as 48 hours, although for mobile it’s taking a little longer. ®
Sponsored: DevOps: hidden risks and how to achieve results