Posted on April 21, 2016 by Vladimir Ghilien
These new patches deal with six crucial, two high, and five moderate flaws. The gravest vulnerability is located in Android’s mediaserver component. This is a core part of the OS and handles media playback along with parsing of the corresponding file metadata.
Exploitation of this vulnerability allows attackers to execute arbitrary codeunder the guise of the mediaserver process, thus obtaining privileges not provided to regular third-party apps. The flaw is especially dangerous, since it could be exploited remotely via tricking users into running specifically made media files in their web browsers or by sending them through MMS.
Google’s been busy locating and patching Android vulnerabilities related to media files since July, when a crucial media parsing library flaw known as Stagefright resulted in a grand coordinated patching effort from manufacturers of Android gadgets, as well as prompted Samsung, LG, and Google to introduce monthly updates on security.
Apparently, the media processing flaws’ stream got slower these days. The leftover five crucial flaws patched in this release have to do with bugs in the kernel or its drivers. The kernel is basically the most precious component of the Android OS.
One of the vulnerabilities was in the MediaTek’s misc-sd driver and another one was in an Imagination Technologies driver. Both of them could be exploited by a malicious app for rogue code execution within the kernel, which would fully compromise the system, potentially leading to the OS re-flashing for recovery.
A similar vulnerability was located and fixed right in the kernel. Two more were discovered in the Widevinw QSEE TrustZone app, potentially permitting rogue code execution in the TrusZone context to hackers. TrustZone is basically a security extension of the ARM CPU architecture based on hardware that permits execution of sensitive codes in a privileged environment, which is separate from the OS.
Kernel privilege escalation flaws are the kind of vulnerabilities that could be used for rooting Android gadgets. Rooting is a process, through which consumers obtain full control of their gadgets. Although this capability is utilized legally by some power users and enthusiasts, it may as well result in persistent compromises of gadgets in the attackers’ hands.
This is the reason why Google isn’t permitting rooting applications in its Google Play app store. Such local security features of Android, as SafetyNet and Verify Apps are meant to monitor and prohibit such apps.
In order to complicate the remote exploitation of media parsing vulnerabilities, the automatic multimedia messages’ display has been turned off in the default Messenger app and Google Hangouts ever since the very first Stagefright flaw in July, 2015.