6 Jun 2016 at 20:37, Iain Thomson
It’s the first Monday of the month, and that means another batch of patches for Android, fixing flaws that can be exploited by apps and webpages to hijack devices.
As usual, if you’re not using a Google Nexus device, you’re at the mercy of your manufacturer and phone carrier to approve and distribute these updates, which may take some time. Although Google Play Services on Android gadgets can install updates quietly in the background direct from Google, it can’t reach the lowest levels of the operating system – which is precisely where these bugs lurk. Nexus devices get their updates straight from Google.
Of the eight critical flaws fixed this month, six are present in Qualcomm-powered phones and fondleslabs: two in each of its sound and GPU drivers, and a one in each of the firm’s video and Wi-Fi drivers. All six allow apps installed on the devices to either enter kernel space and completely hijack the gadget to steal passwords and spy on victims.
If a handheld is infected with malware via one of these vulnerabilities, you’ll need to do a complete wipe and reflash of the firmware to remove the software nasty.
The other two critical patches this month, as well as the bulk of lesser-severity patches, cover Android’s Mediaserver and libwebm code. Specially crafted audio and video files viewed on a vulnerable device – imagine receiving an MMS text or viewing a web page bobby-trapped with an evil video – can exploit these holes to execute malicious code with high privileges on the device.
Ten of the remaining 32 high- and moderate-severity flaw fixes also cover Qualcomm kit, with Broadcom’s dodgy Wi-Fi drivers contributing another couple and Nvidia’s camera driver also showing problems. These holes can be potentially abused by apps to gain extra permissions to snoop on owners or cause trouble.
Twelve of these lower-ranked flaws in Mediaserver cover malicious apps being able to gain Signature or SignatureOrSystem privileges on the device, as does one flaw in the SD card emulation layer of Android. This could allow a specially crafted app with the right system image certification to run code without asking the user first.
Google is well aware of the problems with its Mediaserver. The Chocolate Factory is addressing the problem in the forthcoming Android N by rewriting and siloing media handling components in the operating system in the new build.
This month’s security bugs are present in Android versions 4.4.4 (32.5 per cent of devices), 5.0.2 (16 per cent), 5.1.1 (19 per cent), 6.0 and 6.0.1 (7.5 per cent). Earlier builds are no longer supported. Although Google only lists which Nexus models are affected in its security advisory, other manufacturers’ phones are also affected.
Android does feature various mechanisms – such as ASLR – to block the exploitation of security bugs, although they can be potentially sidestepped.