Google fixed more than 50 issues in multiple libraries, the Android kernel, Mediaserver, various hardware drivers, system applications, and networking components as part of its September Android Security Bulletin.
The most noteworthy flaws addressed are the critical remote code execution bug in Mediaserver and a pair of critical elevation of privilege bugs that make up the QuadRooter flaw publicly disclosed in August.
Mediaserver back in spotlight
The remote code execution flaw in Mediaserver (CVE-2016-3862) was similar to the set of Stagefright vulnerabilities disclosed a year ago. While Stagefright and many of the later-disclosed Mediaserver flaws primarily focused on video files, this particular bug affected how Android's Mediaserver component processed EXIF (location) data in JPEG images, said Tim Strazzere, the SentinelOne researcher credited with finding and reporting the vulnerability to Google.
Android apps typically use a Google-provided library to handle EXIF data, but the bug in the library was causing memory corruption during media file and data processing. "Just displaying a photo in Gmail or Gchat would crash the Android phone," Strazzere said.
While Strazzere didn't test social media apps, he said they would also likely be affected by the bug because using that library is the correct way to handle images.
Sharing images is common behavior and an easy attack vector. One of the initial workarounds for Stagefright was to turn off autoplay for video files, but there's no autoplay for images. All the attacker has to do is send an image and have the app display the image as a preview to exploit the flaw and remotely execute code on the user's device.
Media codecs are notoriously difficult to write safely since they touch multiple low-level components and have to handle different input types, said Strazzere. Developers typically gravitate toward C when dealing with these kinds of operations, but doing so increases the chances of introducing memory-related vulnerabilities.
Google could have fixed the bug with what Strazzere described as a "two-line fix." Instead, the company rewrote in Java an entirely new library to handle EXIF data. The Android team could have made the decision because it wanted a more straightforward method to handle the data or because it found more vulnerabilities in the library and decided starting over was best. Regardless of the reason, the decision was "appropriate," as it completely removed a whole class of potential vulnerabilities, Strazzere said.
The Mediaserver flaw is fixed for all Android devices and Nexus models running Android 4.4.4 and later. While Nexus devices have received the patches in the bulletin, other Android devices have to wait for carriers and handset manufacturers to prepare the update. Depending on the OEM and carrier, some devices may never receive the update at all. There is no patch for older handsets running Android 4.3 and earlier.
Quadrooter completely fixed
Google also fixed the remaining two vulnerabilities that make up the Quadrooter flaw affecting multiple Qualcomm components. The privilege escalation bug in the kernel (CVE-2016-5340) and the privilege escalation flaw in the Qualcomm networking component (CVE-2016-2059) could be used to bypass existing mitigations in the Android kernel and give attackers root privileges. The flaws are in Qualcomm drivers controlling communication between different chip components.
"An elevation-of-privilege vulnerability in the Qualcomm networking component could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process," Google wrote in the Android Security Bulletin.
The other two Quadrooter bugs were patched in July and August. Combining all four Quadrooter bugs could result in complete compromise of Android devices.
Quadrooter was publicly disclosed by researchers from Check Point Software at this year's Defcon in Las Vegas. It could potentially affect 900,000 Android handsets, many of them from popular manufacturers such as Samsung and Motorola, and all the attacker would need to do is trick the victim into downloading a malicious app.
"An elevation-of-privilege vulnerability in the kernel shared memory subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device," Google wrote in the Android Security Bulletin.
Nexus devices received the over-the-air update while other Android devices will have to wait for handset makers and carriers to roll out the update. Google published three different patch levels in this month's update: Sept. 1, Sept 5, and Sept. 6. Only devices that receive the Sept. 6 updates will receive fixes for Quadrooter.
"Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible," Google said.