Nexus devices received a new OTA update this week (Build LMY48M), which fixes some security issues. Now, Google is going into more detail on exactly what those fixes were.
There are a total of eight vulnerabilities on the list with one to have been exploited in the wild. It is unclear if it was just someone rooting their device and trying it or if it was used maliciously.
Security vulnerability summary
Remote Code Execution Vulnerability in Mediaserver
Elevation of Privilege Vulnerability in Kernel
Elevation of Privilege Vulnerability in Binder
Elevation of Privilege Vulnerability in Keystore
Elevation of Privilege Vulnerability in Region
Elevation of Privilege vulnerability in SMS enables notification bypass.
Elevation of Privilege Vulnerability in Lockscreen
Denial of Service Vulnerability in Mediaserver
Ars Technica say the two critical fixes will address vulnerabilities found in the libstagefright Android media library. These allowed users to execute harmful code on to users’ devices. Google has also been pushing manufactures and carriers to release Stagefright fixes over the past few months.
Mitigation Techniques Used To Prevent Exploitation:
- Remote exploitation for many issues on Android versions 4.1 (Jelly Bean) and higher is mitigated by enhancements in the Address Space Layout Randomization (ASLR) algorithm used in those versions. Android 5.0 improved ASLR by requiring PIE (position-independent executable) for all dynamically linked executables further strengthening the ASLR protection. We encourage all users to update to the latest version of Android where possible.
- The Android Security team is actively monitoring for abuse of issues with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Device “rooting” tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known Rooting applications. Verify Apps will block installation of known “malicious” applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will attempt to automatically remove any such applications and notify the user.
- As appropriate, Google has updated the Hangouts and Messenger applications so that media is not automatically passed to vulnerable processes (such as Mediaserver.)