Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

8/20/2015
05:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Month Of Android Vulnerabilities Rolls On

Multi-media handling takes the most hits, and there are no easy fixes.

Starting with the critical vulnerability in the Stagefright multimedia engine -- released at the end of July and detailed at Black Hat in early August -- Android security has received a relentless pummeling for weeks. Several of the new vulnerabilities discovered also leverage weaknesses in Android's handling of multimedia, and none of them will be easily repaired by a mere patch.

The silver lining is that attackers have not raced to exploit the vulnerabilities, despite their many attractions. Here's a quick rundown of the latest:

  • This week, Trend Micro researchers released details about a Stagefright-like vulnerability (CVE-2015-3842) in AudioEffect, a component of MediaServer, that affects Android versions 2.3 through 5.1.1. The bug could enable arbitrary code execution and give the attacker the same permissions as MediaServer, which has access to the device's camera, photos, and videos. The vulnerability could be exploited by convincing the user to run a file that claims to require no special permissions.
  • At the USENIX conference last week, FireEye researchers revealed a vulnerability in the way Android runs multiple processes at once. According to the researchers, these task-hijacking attacks could be used to commit "[user interface] spoofing, denial-of-service and user-monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user’s activities."
  • At Black Hat, Checkpoint revealed "Certifi-gate," which takes advantage of a flaw in the Android customization chain. It's a set of vulnerabilities in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugs on Android devices. According to researchers, Certifi-gate would allow attackers to "install malicious applications to gain unrestricted access to a device silently, gain full control of the mobile device, including access to the sensitive user and corporate data."
  • Also at Black Hat, FireEye researchers revealed ways to circumvent TrustZone to harvest fingerprint images from certain Android devices and hijack a mobile payment authorization process.
  • Another vulnerability in MediaServer (CVE-2015-3823) affects Android versions 4.0.1 to 5.1.1 and enabled denials of service, sending Android devices into a cycle of endless reboots.
  • Yet another vulnerability in MediaServer affects Android versions 4.3 (JellyBean) to 5.1.1 (Lollipop), and according to researchers, could "render a phone apparently dead -- silent, unable to make calls, with a lifeless screen." Exploits would render MediaServer unable to  correctly process malformed video files, which causes the service to crash, "and with it, the rest of the operating system." Trend Micro researchers expected this vulnerability would likely be popular with those dealing in ransomware. 

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/21/2015 | 10:53:25 AM
Android the WIndows mobile counterpart
It seems that android phones are quickly becoming the "Windows" devices of the mobile world. Many different manufacturers produce them and they are a bulk of the mobile environment. The discrepancy is not to the point where Android vs. Apple has a major discrepancy of attacks launched against each respective environment.

Also, I understand there is a Windows phone...but honestly how many people, that don't work for Microsoft, do you know who owns a Windows phone?
DaveS074
50%
50%
DaveS074,
User Rank: Apprentice
8/21/2015 | 1:40:31 PM
No fix then what?
If android devices, especially phones, have all these vulnerabilities then what is the consumer to do to protect themselves? Disable the apps? Some look like core processes that can't be shut down. Does trend micro, who identified one of the problems, security app shield android? Others?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd