Google rolled out its second monthly Android security update earlier this month, but the fixes are only beginning to hit handsets.
The bundle included updates for 15 critical remote code execution flaws related to the Stagefright vulnerability, as well as 15 other vulnerabilities in various Android components, such as the Media Player Framework, Android Runtime, Bluetooth, and Mediaserver. The bugs have been addressed in builds LMY48T and later (such as LMY48W) and Android 6.0 Marshmallow, according to the bulletin posted on the Android Security Updates group.
Google botched the first update fixing Stagefright vulnerabilities over the summer and had to release a second update to actually fix the problem. This latest update, which addressed multiple issues within the libstagefright library, doesn't repeat the mistake.
"As appropriate, Google has updated the Hangouts and Messenger applications so that media is not automatically passed to vulnerable processes (such as mediaserver)," Google said in its bulletin.
What was fixed in LMY48T
The majority of the vulnerabilities fixed in this update could have been exploited when opening a specially crafted media file. The Stagefright vulnerabilities would have allowed an attacker to cause memory corruption and remote code execution in the mediaserver service when opening a MP3 audio or MP4 movie file. "The affected components have access to audio and video streams as well as access to privileges that third-party applications cannot normally access," Google said in the bulletin.
Seven Shen, Trend Micro's mobile threats analyst, verified the latest security bulletin fixed the four bugs Trend Micro reported. The first one, an integer overflow bug in MKV (Matroska) file parsing, which would have allowed attackers to perform denial-of-service attacks on Android's mediaserver program, causing the device to reboot and draining its battery, Shen said. The second and third bugs were related to MP4 file parsing and would have caused the mediaserver to crash or allow arbitrary code execution when opening a specially crafted MP4 movie file. The final bug in the Real-Time Streaming Protocol media buffer frame handling could result in a heap buffer overflow and arbitrary code execution, Shen said.
Zimperium researchers reported a remote code execution flaw in libstagefright that could also be triggered with a specially crafted MP3 or MP4 file. The other bug Zimperium reported was related to how libutils handled audio file processing: An attacker would have been able to cause corruption and remote code execution through a malicious app. Zimperium did not respond to requests to confirm the fixes were addressed in this bulletin.
A remote code execution vulnerability in the Skia component was rated as a Critical severity because it could have been exploited by a specially crafted media file sent through multiple attack methods, such as email, Web browsing, and MMS. The critical remove code execution flaw in libFLAC also existed as an application API, and multiple applications used the affected functionality, Google said. An elevation of privilege vulnerability in the media player framework component could allow a malicious application to execute arbitrary code within the context of mediaserver.
Update availability depends on carriers
The vulnerabilities were found in Android 5 Lollipop and earlier. Devices that have been updated to Marshmallow or are eligible for the new operating system upgrade will automatically get the fixes to these issues.
The Android update ecosystem is very different from the desktop world. Just because an update has been released doesn't necessarily mean it is available. After Google prepares the update, it passes the firmware images to each of the manufacturers. They prepare the updates for each of the models before passing them to the carriers. The carriers then decide when those updates become available for users. This means Samsung may have the Galaxy Note 5 update ready, but the time frame for the package's arrival on its AT&T handset will be different from the Verizon model. The exceptions are Nexus phones and tablets, because they are updated by Google directly.
Google said it notified partners about this update on Sept. 10. Verizon appears to be among the first to roll out the fix, as it made the updates available for the Samsung Galaxy Core Prime. Updates for Samsung Galaxy Note Edge and Note 4 on AT&T are on the way, and LG updated its flagship G4 phone. Most of the carriers have not yet announced availability for majority of handsets.
Much of the attention this month has been on which devices will be get Marshmallow, including the fixes. LG promised Marshmallow next week for Poland users; Europe, Asia, and the Americas are to follow. HTC will make Marshmallow available on one of its handsets Oct 20, most of the devices will begin receiving updates "by the end of 2015."
Even with Google releasing the firmware images to partners in early September, the majority of Android handsets remain update-less in mid-October. When Google first announced the monthly security updates, LG and Samsung committed to providing security updates on a monthly basis. President of HTC America, Jason Mackenzie, on the other hand, said over Twitter that HTC "will push for them, but unrealistic for anyone to say guaranteed every month."
Something has to change in the update ecosystem when studies show more than 80 percent of Android devices worldwide are not secure. The alternatives are to either buy a Nexus or upgrade to the new flagship model every 18 months or so -- neither of which is a sustainable plan.