Critical remote code execution flaws in Mediaserver dominate this month's Android Security Bulletin from Google.
Google patched 32 vulnerabilities across 25 bulletins as part of this month's security update for Android devices. The company also rebranded its patch release to the Android Security Bulletin to reflect the fact that the updates apply to various Android devices, not just Nexus devices.
Only one of the bulletins, which addresses a high-severity information disclosure vulnerability in Qualcomm Tethering controller, did not affect Nexus devices.
Mediaserver takes center stage
New name notwithstanding, the primary focus of this month's update remains the same as previous months: vulnerabilities in the Mediaserver component and related software. Mediaserver handles media processing and has system-level access for many parts of the Android device, including the kernel, camera, and microphone. To successfully compromise the device, attackers just need to craft a malicious media file to exploit Mediaserver and related vulnerabilities.
Ever since the Stagefright vulnerabilities were disclosed last summer, security researchers have identified more than two dozen related vulnerabilities. While there are proofs-of-concept targeting Stagefright, these vulnerabilities have not yet been exploited in the wild, according to Google.
The latest Mediaserver bulletin fixes 12 flaws, of which two are considered critical (CVE-2016-2428 and CVE-2016-2429). The Mediaserver vulnerabilities, which affect Android versions 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.1, lead to memory corruption and expose devices to remote code execution. Attackers can exploit these issues in a number of ways, including using malicious MMS and browser playback of media files.
"This issue is rated as critical severity due to the possibility of remote code execution within the context of the Mediaserver service," Google said. "The Mediaserver service has access to audio and video streams, as well as access to privileges that third-party apps could not normally access."
Five other bulletins in this update were rated as critical because, if exploited, the vulnerabilities potentially could be used to root the Android device. Attackers could trigger the critical elevation of privilege bug in Debuggerd, the integrated Android debugger, to also run arbitrary code in the context of the debugger. An attacker targeting the privilege escalation vulnerabilities in the Qualcomm TrustZone and Qualcomm Wi-Fi driver would be able to run arbitrary code with permissions granted to the TrustZone kernel.
The kernel flaw affected Nexus 5, 5X, 6, 6P, 7 (2013 model), and 9 devices. The final set of rooting vulnerabilities were in the Nvidia Video driver and affected Nexus 9 devices. For each of the issues, fixing the device would require re-flashing the operating system, according to the advisory.
High- and moderate-severity bugs fixed
A dozen bulletins addressing 19 vulnerabilities were rated as high severity, including remote code execution vulnerabilities in the kernel and Bluetooth, and elevation of privilege flaws in Mediaserver, Qualcomm Buspm Driver, Qualcomm MDP Driver, Qualcomm Wi-Fi Drivem NVIDIA Video Driver, Wi-Fi, and MediaTek Wi-Fi Driver.
The Bluetooth flaw could lead to remote code execution while initializing a Bluetooth device. An attacker targeting the kernel bug, on the other hand, would first need to compromise a privileged service before exploiting the flaw in the audio subsystem, the advisory said. The bug in the Binder could allow an attacker to cause local code execution during free memory process. The MediaTek flaw affects only Android One devices.
Flaws rated as moderate severity were fixed in Conscrypt, OpenSSL and Boring SSL, MediaTek Wi-Fi Driver, Wi-Fi, AOSP Mail, Mediaserver, and a low-rated DoS bug in the kernel. The elevation of privilege vulnerability in OpenSSL/Boring SSL, which could let a malicious app access data outside its permission levels, was rated as moderate severity instead of high because it requires "an uncommon manual configuration," the advisory said.
The moderate-severity bug in MediaTek was downgraded from high severity because "it requires first compromising a system service."
Patches sent to partners
Carriers and handset makers received the patches on April 4 to give them time to prepare their own software updates. Devicesthat have been updated will show Security Patch Levels of May 1, 2016, or later.
Along with the name change, Google also modified how it rates the severity of each vulnerability. The new rating system is aligned to reflect the real-word impact on users and reflects the potential harm that could occur if the bug was successfully exploited, the company said.
For example, for a vulnerability to be rated as critical, it would have to result in remote arbitrary code execution in a privileged process, permanent device compromise, or remote permanent denial of service. A high-severity flaw would lead to remote arbitrary code execution in an unprivileged process, remote access to protected data, remote bypass of user interaction requirements, or local arbitrary code execution in a privileged process, to name a few results. Google said the severity would be less if the vulnerability requires running as a privileged process to execute the attack or if there are details that limit the impact of the issue.
"The severity determines how the issue is prioritized, and the component determines who fixes the bug, who is notified, and how the fix gets deployed to users," Google said.