Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

8/20/2015
05:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Month Of Android Vulnerabilities Rolls On

Multi-media handling takes the most hits, and there are no easy fixes.

Starting with the critical vulnerability in the Stagefright multimedia engine -- released at the end of July and detailed at Black Hat in early August -- Android security has received a relentless pummeling for weeks. Several of the new vulnerabilities discovered also leverage weaknesses in Android's handling of multimedia, and none of them will be easily repaired by a mere patch.

The silver lining is that attackers have not raced to exploit the vulnerabilities, despite their many attractions. Here's a quick rundown of the latest:

  • This week, Trend Micro researchers released details about a Stagefright-like vulnerability (CVE-2015-3842) in AudioEffect, a component of MediaServer, that affects Android versions 2.3 through 5.1.1. The bug could enable arbitrary code execution and give the attacker the same permissions as MediaServer, which has access to the device's camera, photos, and videos. The vulnerability could be exploited by convincing the user to run a file that claims to require no special permissions.
  • At the USENIX conference last week, FireEye researchers revealed a vulnerability in the way Android runs multiple processes at once. According to the researchers, these task-hijacking attacks could be used to commit "[user interface] spoofing, denial-of-service and user-monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user’s activities."
  • At Black Hat, Checkpoint revealed "Certifi-gate," which takes advantage of a flaw in the Android customization chain. It's a set of vulnerabilities in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugs on Android devices. According to researchers, Certifi-gate would allow attackers to "install malicious applications to gain unrestricted access to a device silently, gain full control of the mobile device, including access to the sensitive user and corporate data."
  • Also at Black Hat, FireEye researchers revealed ways to circumvent TrustZone to harvest fingerprint images from certain Android devices and hijack a mobile payment authorization process.
  • Another vulnerability in MediaServer (CVE-2015-3823) affects Android versions 4.0.1 to 5.1.1 and enabled denials of service, sending Android devices into a cycle of endless reboots.
  • Yet another vulnerability in MediaServer affects Android versions 4.3 (JellyBean) to 5.1.1 (Lollipop), and according to researchers, could "render a phone apparently dead -- silent, unable to make calls, with a lifeless screen." Exploits would render MediaServer unable to  correctly process malformed video files, which causes the service to crash, "and with it, the rest of the operating system." Trend Micro researchers expected this vulnerability would likely be popular with those dealing in ransomware. 

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DaveS074
50%
50%
DaveS074,
User Rank: Apprentice
8/21/2015 | 1:40:31 PM
No fix then what?
If android devices, especially phones, have all these vulnerabilities then what is the consumer to do to protect themselves? Disable the apps? Some look like core processes that can't be shut down. Does trend micro, who identified one of the problems, security app shield android? Others?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/21/2015 | 10:53:25 AM
Android the WIndows mobile counterpart
It seems that android phones are quickly becoming the "Windows" devices of the mobile world. Many different manufacturers produce them and they are a bulk of the mobile environment. The discrepancy is not to the point where Android vs. Apple has a major discrepancy of attacks launched against each respective environment.

Also, I understand there is a Windows phone...but honestly how many people, that don't work for Microsoft, do you know who owns a Windows phone?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25660
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
CVE-2020-25688
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
CVE-2020-25696
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
CVE-2020-26229
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
CVE-2020-28984
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.