Google goes into detail about the latest security update for Nexus devices and AOSP

double_nexus_nexus_9_nexus_6

Nexus devices received a new OTA update this week (Build LMY48M), which fixes some security issues. Now, Google is going into more detail on exactly what those fixes were.

There are a total of eight vulnerabilities on the list with one to have been exploited in the wild. It is unclear if it was just someone rooting their device and trying it or if it was used maliciously.

Security vulnerability summary

 

Title

CVE

Severity

Active Exploitation

Remote Code Execution Vulnerability in Mediaserver

CVE-2015-3864

Critical

No

Elevation of Privilege Vulnerability in Kernel

CVE-2015-3636

Critical

Yes

Elevation of Privilege Vulnerability in Binder

CVE-2015-3845, CVE-2015-1528

High

No

Elevation of Privilege Vulnerability in Keystore

CVE-2015-3863

High

No

Elevation of Privilege Vulnerability in Region

CVE-2015-3849

High

No

Elevation of Privilege vulnerability in SMS enables notification bypass.

CVE-2015-3858

High

No

Elevation of Privilege Vulnerability in Lockscreen

CVE-2015-3860

Moderate

No

Denial of Service Vulnerability in Mediaserver

CVE-2015-3861

Low

No

Ars Technica say the two critical fixes will address vulnerabilities found in the libstagefright Android media library. These allowed users to execute harmful code on to users’ devices. Google has also been pushing manufactures and carriers to release Stagefright fixes over the past few months.

Zimperium Mobile Security have released proof of concept code proving how Stagefright vulnerabilities could be exploited.

Mitigation Techniques Used To Prevent Exploitation:

  • Remote exploitation for many issues on Android versions 4.1 (Jelly Bean) and higher is mitigated by enhancements in the Address Space Layout Randomization (ASLR) algorithm used in those versions. Android 5.0 improved ASLR by requiring PIE (position-independent executable) for all dynamically linked executables further strengthening the ASLR protection. We encourage all users to update to the latest version of Android where possible.
  • The Android Security team is actively monitoring for abuse of issues with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Device “rooting” tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known Rooting applications. Verify Apps will block installation of known “malicious” applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will attempt to automatically remove any such applications and notify the user.
  • As appropriate, Google has updated the Hangouts and Messenger applications so that media is not automatically passed to vulnerable processes (such as Mediaserver.)

Source: Google
Via: Android Police


About the Author: Brent D'Alessandro

Brent is a graphic designer based in Toronto. Recently, he moved into designing more with Android. You may have seen some of Brent's themes in the popular Android launcher, "Themer." He has also made themes for Samsung's theme store. Aside from using Android devices all day, Brent spends a lot of his free time talking about Android on various forums. Brent was already writing about Android on the internet and figured it was finally time to make the move to a professional writer. When not writing with Talk Android, you can find him on http://www.teamshmo.com/