Google has renamed is monthly security patch to Android Security Bulletin and has released a bunch of patches to sort out the Mediaserver vulnerability, in this month’s edition.
You are probably already familiar with Google’s updates in which it addresses threats, loopholes and all other stuff with the potential to cause harm on its Android platform, every month. However, you may or may not be aware of the Mediaserver vulnerability — in which case, lets take a quick look at the problem.
The Mediaserver vulnerability was brought to the attention of users after last year, when the system application that is responsible for serving media content and interacting with the kernel, was found to possess some serious flaws that had the potential for causing a whole lot of damage to the device in question. The application is granted system access on many devices and as such, a successful attack on the application has the potential of unlocking the gates to your mobile for an external agent.
So basically, what you have is a shared multimedia processing library that must of needs, be able to handle a wide range of different input file types and formats — hence the permissions. However, media parsers are known to be among some of the most bug laden and vulnerable pieces of software in any OS. Vulnerable and in possesion of system access — definitely a bad combination. As Mike Hanley, director of Duo Labs at Duo Security puts it,
The attack surface is huge, and the rewards are potentially high for a successful attack as mediaserver runs with privileges to many other parts of the device, like the camera and microphone.
The flaws had actually been in Android since version 2.2 was released, however, devices running Android Jelly Bean and older stood at a much greater risk considering that they lack exploit mitigating measures that have since been built into newer versions of Android.
Meanwhile, Google’s security update for May has sorted out 32 vulnerabilities on Nexus devices in an over-the-air update. Other mobile manufacturers and carriers were sent this update almost a month ago, so you should probably check with them, in case you sport a non-nexus device. The Android Open Source Project (AOSP) is also expected to be updated in the next two days with the new updates.
With this update, Google has fixed some critical flaws in Mediaserver that could be exploited by something as simple as a Multimedia Message or a media file playing in the browser. The issues had the potential to lead to memory corruption and could even expose devices to remote code execution.
This issue is rated as Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams, as well as access to privileges that third-party apps could not normally access.
A bunch of rooting vulnerabilities were also patched with this update. This includes four rooting vulnerabilities in the NVIDIA Video Driver and a much more serious issue with debuggerd, the integrated Android debugger.
An elevation of privilege vulnerability in the integrated Android debugger could enable a local malicious application to execute arbitrary code within the context of the Android debugger. This issue is rated as Critical severity due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
Attackers could have exploited this flaw to run code remotely and even root the device. However, thanks to Google’s latest security patch, this should cease to be an issue now.
The rest of the bulletin concerns itself with classifying multiple remaining faults as either high or moderate level. These faults will be addressed by Google at a later date — perhaps in subsequent security bulletins.
There is a description of the issue, a severity rationale, and a table with the CVE, associated bug, severity, updated Nexus devices, updated AOSP versions (where applicable), and date reported. When available, we will link the AOSP change that addressed the issue to the bug ID. When multiple changes relate to a single bug, additional AOSP references are linked to numbers following the bug ID.
To know more about the issues that have been fixed with this month’s Android Security Bulletin, please visit this link.