With fixes for 39 vulnerabilities in Android, the April Nexus Security Bulletin is the largest security update from Google since the company began the monthly update process eight months ago.
Google fixed 15 vulnerabilities rated as critical, 16 rated as high, and eight as moderate in the latest monthly bulletin, across 26 different components, including DHCPCD, Mediaserver, Bluetooth, Exchange ActiveSync, Wi-Fi, Telephony, media codec, video kernel driver, and Debuggerd. The update also covers the March 18 out-of-band emergency patch fixing a local privilege escalation flaw in the Android kernel.
“There have been no reports of active customer exploitation or abuse of the other newly reported issues,” Google said in the latest advisory.
The privilege escalation flaw was originally patched in 2014 in the Linux kernel, and researchers reported the same bug (CVE-2015-1805) affected Android devices earlier this year. Zimperium researchers reported that an app capable of exploiting the vulnerability to root Nexus 5 devices was available in the wild in March, prompting Google to release the emergency patch. At the time, Google said attackers could abuse the flaw to gain root privileges on Android devices on kernel versions 3.4, 3.10, and 3.14. Nexus 5 and 6 devices are vulnerable too, Google said.
The Verify Apps feature in Android also blocks installation of apps from outside of Google Play that attempt to exploit the vulnerability, making it harder for attackers to abuse.
Devices with Security Patch Levels of April 2, 2016, or later have both the emergency patch and the latest monthly update. Supported Nexus devices will receive the updates over the air directly from Google, but other Android devices will have to wait for carriers and handset makers to release the updates.
Mediaserver still the biggest headache
As expected, Google again patched critical Mediaserver and libstagefright -- seven critical vulnerabilities and five high-severity bugs in the process itself, as well as one critical flaw in the library. Issues in Mediaserver and libstagefright first came to light last summer with Stagefright, and since then, security researchers in and out of Google have focused on the two components to find and squash other bugs. These security issues are “tangential” to the original Stagefright vulnerability, as they exist in the same component but are distinct concerns, Christopher Budd, a global threat communications manager at Trend Micro said earlier this year.
Mediaserver is a particularly attractive target because it can be attacked via multiple methods, including remote content such as MMS files and browser playback of media files. The service can access audio and video streams, as well as privileges that third-party apps cannot normally touch. If the attack is successful, the attacker could cause memory corruption and remotely execute code with the privileges available to the Mediaserver process.
“The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, Web browsing, and MMS when processing media files,” Google said in its advisory.
Google also patched a critical remote code execution vulnerability in the media codec.
Bugs in core operating system
Along with Mediaserver and related components, Google fixed a critical remote code execution vulnerability in the Dynamic Host Configuration Protocol (DHCP) service and a critical elevation of privilege vulnerability in the kernel. The DHCP flaw would let an attacker cause memory corruption and remotely execute code as the DHCP client. Like Mediaserver, the DHCP service has access to privileges not typically available to third-party apps. As for the kernel bug, a local malicious app could execute arbitrary code and permanently compromise the device. The only way to restore the device would be to reflash the operating system.
The final critical vulnerabilities were in two Qualcomm components: the Qualcomm Performance Module and Qualcomm RF driver. Both escalation-of-privilege vulnerabilities would let malicious apps exploit the Qualcomm components to execute arbitrary code within the kernel, leading to a permanent device compromise.
An elevation-of-privilege vulnerability in a Texas Instrument haptic kernel driver could let a malicious app execute arbitrary code within the context of the kernel. Normally, this kind of a bug would be rated as critical, but Google noted that attackers would first have to compromise a service that can call the driver.
The majority of the issues rated as high severity were elevation-of-privilege flaws, and most of them could be abused to gain special permissions, such as Signature or SignatureOrSystem, which are not typically available to third-party apps. These flaws in IMemory Native Interface, Telecom component, Download Manager, the Recovery Procedure, and System Server could be abused as part of a multistep process.
Fragmented Android
While the ideal situation would be able to update all Android devices with the latest security fixes as soon as they are released, the patchwork of dependencies between Google, the wireless carriers, the device manufacturers, and maintainers of Android-based distributions means a significant number of devices don’t receive the updates on a regular basis. But maybe that can be considered a security advantage, not a security weakness.
At the recent Black Hat Asia conference in Singapore, Dino Dai Zovi, security lead at mobile payments company Square, said the fragmented ecosystem is safer for Android users with unpatched devices because attackers have to customize their attacks for each device model and operating system version. Security programs like Verify Apps and the background scans performed by Google Play, as well as new features in Android Lollipop and Marshmallow, make it harder for users to mistakenly load malicious apps.
“The number of actually infected devices is exceeding low,” Dai Zovi said.
Security flaws need to be patched, and there must be a better way to let Android devices receive regular updates. But so long as the cost of developing exploits for each Android permutation remains high, new vulnerabilities will not result in the sky falling for the unpatched masses.