Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/27/2015
05:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Stagefright Android Bug: 'Heartbleed for Mobile' But Harder To Patch

Critical vulnerability in Android's multimedia playback engine is easy to exploit, requires no user interaction, and affects 95 percent of Android devices.

Researchers have uncovered a remote code execution Android vulnerability that could be exploited with only a malicious media file and a phone number. The bug in Android's multimedia playback engine leaves 95 percent of Android devices worldwide critically exposed. It is being called "Heartbleed for mobile," but will be prove harder than Heartbleed to fully fix.

The so-called Stagefright vulnerability was discovered by Joshua J. Drake, vice-president of platform research and exploitation at Zimperium zLabs, who will be presenting his findings at Black Hat Las Vegas next week. Drake actually discovered a variety of implementation issues in Stagefright that could be used to commit of variety of attacks, including denials of service and remote code execution.

The worst of the exploits requires no user interaction: the maliciously crafted media file could be delivered via an MMS message, and the user wouldn't even need to open it. In other words, the only thing attackers need to know about their target is their phone number. According to researchers, an exploit could even be written so that the message could be deleted before the user has a chance to see it.

"This is Heartbleed for mobile -- a remotely exploitable vulnerability that affects millions of Android-based phones and tablets," says Chris Wysopal, CTO and CISO of Veracode. "These are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS. All an attacker needs to do is send an MMS to a user’s device phone number and sit back and wait for the malware to take over."

The prevalence and ease of exploit of this vulnerability is why Wysopal compares it to Heartbleed. "It's the first Android vulnerability that's gotten to that level," he says.

The vulnerability affects Android devices versions 2.2 and later; pre-Jellybean devices are at the worst risk. Zimperium reported it to Google, which has applied patches, but full fixes require all affected devices to have an over-the-air firmware update. And that's perhaps the biggest concern: remediation requires a lot of parties to be involved, will take time, and some may never get around to it.

"The update process is very long and complicated, and most Android users will never receive an OS update," says Zuk Avraham, founder, chairman and CTO of Zimperium. "This is more challenging than Heartbleed, because in that case you can simply patch the server."  

Wysopal says attackers will be creating and distributing exploits soon. "It's probably a matter of days, so time is of the essence to get the devices patched," he says. But "in the past, it [patching] has been a fragmented process."

Google may release a patch, Wysopal says, but the rest of the Android ecosystem -- the handset manufacturers and wireless carriers, for example -- may take weeks or longer. "We need to start asking them for a timeline," he says. "Unfortunately it's a situation where the individual user may need to take the lead."

The good news is that these Stagefright vulnerabilities do not grant attackers to the victim's entire Android device -- only to their media files -- and wouldn't allow the attacker to make the jump onto an enterprise network, he says.

The question then is will this remain--like other mobile threats before it--a consumer or individual issue. Spying on one's media files could be a threat to an individual, but will it be the kind of thing that brings mobile malware a bigger concern to the enterprise?

Wysopal says the Stagefright exploit could be nastier if combined with a privilege escalation exploit.

"There are targeted attacks on smartphones, as the Hacking Team leak has proved," says Avraham. "We are seeing a lot of attacks. This is the most silent threat to the enterprise out there, empowering attackers to essentially spy on anyone from executives to prime ministers and celebrities."

Wysopal's advice is to turn off the auto-download of MMS messages feature, and then avoid opening MMS messages from unfamiliar senders.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .