Google addressed multiple remote code execution and elevation of privilege vulnerabilities in its Android monthly security update for February. Along with the usual mediaserver suspects, the patches addressed multiple issues in several Wi-Fi components.
"Builds LMY49G or later and Android M with Security Patch Level of February 1, 2016 or later address these issues," the Android team said in the Android monthly security update advisory.
Android users who've already applied the over-the-air update for the recently reported flaw in the Linux kernel will not need this update as their devices have a security patch level of March 1, 2016.
Of the 13 security flaws fixed in the February update, 11 were rated as either high or critical severity. Vulnerabilities rated as critical include remote code execution flaws in the Broadcom Wi-Fi driver and mediaserver, as well as critical elevation of privilege flaws in the Qualcomm performance module, Qualcomm Wi-Fi driver, and the debugger daemon. Vulnerabilities rated as high severity include denial-of-service bugs in the Minikin library, elevation of privilege vulnerabilities in Wi-Fi and mediaserver, and an information disclosure vulnerability in the libmediaplayerservice component. Google also addressed two moderate-severity bugs that could let attackers bypass factory reset protections in the setup wizard.
"We have had no reports of active customer exploitation of these newly reported issues," the Android security team said.
Mediaserver still vulnerable
Since last August, Google has been patching vulnerabilities uncovered in the mediaserver and related components that handle how media files are processed and rendered, and this month was no exception. The most severe issue involved two critical vulnerabilities that could result in an attacker remotely executing code by means of specially crafted email messages, Web links, or MMS messages (CVE-2016-0803 and CVE-2016-0804). Mediaserver flaws are exceptionally worrisome because many applications rely on the component to play audio and video stored remotely.
"As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver," the advisory said.
The mediaserver service also has access to privileges that third-party applications typically do not receive.
A locally installed malicious app could exploit an elevation of privilege flaw in mediaserver (CVE-2016-0810) to execute code as if it was an elevated system application. An information disclosure flaw in libmediaplayerservice could let attackers bypass existing security measures (CVE-2016-0811) and successfully target the platform. Both of these bugs could give attackers elevated capabilities, such as Signature or SignatureOrSystem privileges, which are not typically accessible to third-party apps.
The system grants the Signature permission only if the requesting app is signed with the same certificate as the app declaring the permission, giving it system-wide privileges. Apps receive the SignatureOrSystem permission only if they were signed with the same certificate or were part of Android system image. Developers are urged to avoid using the option since the Signature protection level should be sufficient for most needs.
Potential Wi-Fi attacks patched
Mediaserver vulnerabilities weren't the sole focus of this month's update; the remote code execution vulnerability in Broadcom's Wi-Fi driver is "also of particular importance," according to the advisory. Attackers on the same Wi-Fi network as the victim could use specially crafted wireless control message packets to corrupt kernel memory to remotely execute code in the context of the kernel (CVE-2016-0801 and CVE-2016-0802), the advisory said. The issue was rated as critical severity because the attack would not require user interaction to succeed.
A malicious app could locally trigger an escalation of privilege flaw in the Qualcomm Wi-Fi driver (CVE-2016-0806) to execute arbitrary code within the context of the kernel.
The final vulnerability in Android's Wi-Fi component was rated high severity and is an elevation of privilege flaw (CVE-2016-0809). Attackers could potentially use a malicious app already installed on the device to execute code with System context, giving the remote attacker capabilities typically accessible to locally installed apps. The attack would succeed if the devices were in local proximity to each other, according to the advisory.
Multiple local attacks fixed
Attackers could also use malicious apps to exploit two other elevation of privilege vulnerabilities in the performance event manager for Qualcomm's ARM processors (CVE-2016-0805) and the debugger component (CVE 2016-0807). Like the critical flaw in the Qualcomm Wi-Fi driver, these bugs would let a malicious app execute arbitrary code within the context of the kernel.
The operating system would need to be reflashed on the compromised device.
The updates also fixed a high-severity denial-of-service vulnerability in the Minikin library (CVE-2016-0808), which could be exploited by loading an untrusted font. The overflow in the Minikin component would result in a crash and a continuous reboot loop, according to the security advisory.
Google also patched two internally discovered moderate-severity bugs (CVE-2016-0812 and CVE-2016-0813) in the Setup Wizard, which attackers with physical access to the device could exploit to bypass the Factory Reset Protection and erase all data.
Updates and mitigations available
The severity assessment is based on the effect that exploiting the vulnerability may have on the targeted device, assuming platform and service mitigations are disabled or successfully bypassed. Users should upgrade to devices running newer Android versions where possible to take advantage of enhancements, which make exploitation more difficult. For example, newer Android versions have the Security-Enhanced Linux (SELinux) kernel module, which prevents third-party applications from reaching the affected code.
While Nexus devices will be updated automatically, other Android handsets have to wait for the device manufacturers and carriers to roll out the security fixes. Google provides partners, handset manufacturers, and carriers with the updates a month beforehand to give them time to prep and release the fixes to their devices. The patches will also be available on the Android Open Source Project repository for anyone interested in applying the updates themselves.