Tag Archives: Google

Responding to the Meltdown and Spectre Vulnerabilities

=======================
Please scroll down for more updates to this original post.
=======================
Earlier in January updates for Linux, Apple and Windows were made available to work towards addressing the 3 security vulnerabilities collectively known as Meltdown and Spectre.

Why should these vulnerabilities be considered important?
I’ll provide a brief summary of the two categories of vulnerabilities:

Meltdown (CVE-2017-5754): This is the name of the vulnerability discovered that when exploited by an attacker could allow an application running with standard privileges (not root or elevated privileges) to read memory only intended for access by the kernel.

Spectre (Variant 1: CVE-2017-5753 ; Variant 2: CVE-2017-5715): This is a category of two known vulnerabilities that erode the security boundaries that are present between applications running on a system. Exploitation can allow the gathering of information from applications which could include privileged information e.g. usernames, password and encryption keys etc. This issue can be exploited using a web browser (e.g. Apple Safari, Mozilla Firefox, Google Chrome, Microsoft Edge (or IE) by using it to record the current time at very short intervals. This would be used by an attacker to learn which memory addresses were cached (and which weren’t) allowing the attacker to read data from websites (violating the same-origin policy) or obtain data from the browser.

Browser vendors have responded by reducing the precision of JavaScript timing and making it more unpredictable while other aspects of JavaScript timing (using the SharedArrayBuffer feature) have been disabled.

More in-depth (while still being less technical) descriptions of these issues are available here , here and here.

How can I protect myself from these vulnerabilities?
Since these vulnerabilities are due to the fundamental architecture/design of modern CPUs; it is not possible to fully address them. Instead a combination of software fixes and microcode updates (defined) is more a viable alternative than re-designing the established architecture of modern CPUs.

In-depth lists of updates available from multiple vendors are available here and here. I would suggest glancing at the affected vendors and if you own a device/product from them; checking if you are affected by these vulnerabilities. A list of BIOS (defined) updates from multiple vendors are available here. Google Chrome has a Site Isolation mode that can mitigate these vulnerabilities which will be more comprehensively addressed in Chrome version 64 scheduled for release last this month.

At this time my systems required updates from Google, Mozilla, Microsoft, Apple, VMware, Asus, Lenovo and Nvidia. Many of many existing desktops are unlikely to receive microcode and BIOS updates due to be more than 3 years old. However my Windows 10 laptop has received a BIOS update from the manufacturer.

Are there disadvantages to installing these updates?
While these updates increase security against these vulnerabilities; performance issues and stability issues (Intel and AMD) after the installation of these updates have been reported. These vary in severity but according to Intel and Microsoft the updates will be refined/optimised over time.

Benchmarks (for desktops) made available by TechSpot show negligible impact on most tasks that would stress a CPU (defined). However any work that you perform which makes of large files e.g. databases may be significantly impacted by the performance impact these updates have when accessing files on disk (mechanical and solid state). For laptops the slowdown was felt across almost all workload types. Newer and older silicon were inconsistently impacted. At times even some Intel 8th generation CPUs were impacted more than 5th generation CPUs.

Details of the anticipated performance impact for Linux, Apple macOS (and iOS) and Windows are linked to. Further reports of reduced performance from Intel and Apple devices have also been recorded. Further details of a feature known as PCID (Process-Context Identifiers) within more recent CPUs which will help reduce the performance impact are provided here. For Intel CPUs, 4th generation Core CPUs and later should include it but any CPU manufactured after 2011 should have it (one of my CPUs; a Core i7 2600K has this feature, verified using Sysinternals Coreinfo). A full list of Intel CPUs affected by these vulnerabilities is here.

Conclusion:
With the widely reported stability and performance issues present it is your decision if you install the necessary updates now or wait until further refinements. If you experience issues, please report them to the manufacturers where possible and within online forums if not. More refined updates will only be created if a need to do so is established.

I’m in the process of updating my systems but will benchmark them before and after each updates to determine an impact and make a longer term decision to keep the updates or uninstall them until further versions become available. I’ll update this post as I gather more results.

=======================
Update: 16th January 2018:
=======================
A newly released free utility from Gibson Research (the same website/author as the well-known ShieldsUp firewall tester) named InSpectre can check if your Windows system has been patched against Meltdown and Spectre and can give an indication of how much the performance of your system will be affected by installing and enabling the Windows and/or the BIOS updates.

Please note: I haven’t tried this utility yet but will this weekend (it will help with the tests I’m carrying out (mentioned above). I’ll update this post when I have tried out this utility.

Thanks again.

=======================
Update: 24th January 2018:
=======================
As promised I gathered some early results from a selection of CPUs and the results for all but recent CPUs are evidence they will experience a potentially noticeable performance drop:

====================
CPUs supporting PCID (obtained using Sysinternals Coreinfo):
Intel Core i7 Extreme 980X @ 3.33 GHz
Intel Core i7 2600K @ 3.8 GHz
Intel Core i5 4590T @ 3.3 GHz
Intel Core i7 6500U (laptop CPU) @ 2.5 GHZ

CPUs supporting INVPCID (obtained using Sysinternals Coreinfo):
Intel Core i5 4590T @ 3.3 GHz
Intel Core i7 6500U (laptop CPU) @ 2.5 GHZ
====================

Explanations of the purpose and relevance of the PCID and INVPCID CPU instructions are available from this Ars Technica article. The results from InSpectre only show positive results when both PCID and INVPCID are present backing up the observations within the above linked to Ars Technica article (that the updates take advantage of the performance advantages of these instructions when both are present).

The results from InSpectre back up these findings by stating that the 980X and 2600K will not deliver high performance protection from Meltdown or Spectre. Since my PCs are mainly used for more CPU intensive tasks (rather than disk intensive) e.g. games and Folding@Home; I still don’t expect too much of a performance decrease. The older CPUs are due for replacement.

You may ask; “why am I so concerned with the performance impact of these updates?” The answer is that significant time and investment has been made into the above systems for them to perform at peak performance for the intended tasks I use them for. Performance and security are both very important to me and I believe there should only be a small trade off in performance for better security.

My next step will be to benchmark the CPU, hard disk and GPU of each system before and after installing each update. I will initially do this for the 6500U and 2600K systems and provide these results. The categories of updates are listed below. I will keep you informed of my findings.

Thank you.
====================
Update 1: Software updates from Microsoft for Meltdown and Spectre
Update 2: Firmware update (where available)
Update 3: Nvidia / AMD GPU driver update
====================

=======================
Update: 13th February 2018:
=======================
Sorry for the long delay (I was travelling again for my work). The above benchmarking is now taking place and I will make the results available as soon as possible. Thanks for your understanding.

=======================
Update: 27th February 2018
=======================
Earlier last week Intel made available further microcode updates for more CPUs. These updates seek to address variant 2 of the Spectre vulnerability (CVE-2017-5715). Updates are now available for the CPUs listed below.

As before, please refer to the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have to determine if these updates have been made available for your specific systems. Further information for corporate system administrators containing details of the patching process is available within this link (PDF):

  • Kaby Lake (Intel 7th Generation Core CPUs)
  • Coffee Lake (Intel 8th Generation Core CPUs)
  • Further Skylake CPUs (Intel 6th Generation Core CPUs)
  • Intel Core X series (Intel Core i9 CPUs e.g. in the 7900 and 7800 model range)
  • Intel Xeon Scalable (primarily targeted at data centres)
  • Intel Xeon D (primarily targeted at data centres)

Information on patches now available for OpenBSD and FreeBSD are located within the following links:

OpenBSD:
OpenBSD mailing list
The Register: OpenBSD Patch now Available

FreeBSD:
FreeBSD Wiki
Softpedia: Spectre and Meltdown mitigations now available

=======================
Update: 1st April 2018
=======================
As vendors have responded to these vulnerabilities; updates have been released for many products. I will describe these updates in more detail below. Apologies if I have omitted any, this isn’t intentional but the list below should still be useful to you:

=======================
Google ChromeOS:
=======================
Following the release of ChromeOS 64 in February which provided updates against the Meltdown and Spectre vulnerabilities, ChromeOS 65 includes further mitigations against these vulnerabilities including the more efficient Retpoline mitigation for Spectre variant 2.

=======================
Sony Xperia:
=======================
In late February Sony made available updates which include mitigations for Meltdown and Spectre for their Xperia X and Xperia X Compact phones which brings the build number to 34.4.A.2.19

=======================
Microsoft Issues Microcode Updates:
=======================
As previously mentioned when this blog post was first published; updates for the Meltdown and Spectre vulnerabilities are made up of software updates, microcode updates and firmware (BIOS updates) and GPU drivers.

Due to the complexity of updating the firmware of computer systems which is very specific and potentially error prone (if you apply the wrong update to your device it can render it useless, meaning it will need to be repaired/replaced (which is not always possible) Microsoft in early March began to issue microcode driver updates (as VMware describes they can be used as substitutes for firmware updates). Microcode updates have been issued in the past to address CPU reliability issues when used with Windows.

=======================
Intel Firmware Updates:
=======================
As with previous microcode updates issued by Intel in late February; these updates seek to resolve variant 2 of the Spectre vulnerability (CVE-2017-5715).

While Intel has issued these updates; they will be made available separately by the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have. You will have to determine from the updates those vendors issue if they are available for the products that you own.

Unfortunately not all systems will receive these updates e.g. most recent system was assembled in 2014 and has not received any updates from the vendor; the vendor has issued updates on their more recent motherboards. Only my 2016 laptop was updated. This means that for me; replacing the systems gradually is the only means of addressing variant 2 of the Spectre vulnerability.

Intel’s updates are for the Broadwell (5th generation CPUs i.e. 5000 series) and Haswell (4th generation CPUs i.e. 4000 series).

=======================
Microsoft Surface Pro:
=======================
Earlier this week Microsoft released firmware updates for their Surface Pro which mitigate the Meltdown and Spectre vulnerabilities. This link provides further details and how to install the updates.

=======================
Microsoft Issues Further Security Update on the 29th March:
=======================
As noted in my separate post; please refer to that post for details of a security update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit that resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of those Windows versions.

=======================
Microsoft Offers Bug Bounty for Meltdown and Spectre vulnerabilities:
=======================
Microsoft have announced bug bounties from $5000 to $250,000 to security researchers who can locate and provide details of exploits for these vulnerabilities upon Windows, Azure and Microsoft Edge.

If such a programme is successful it could prevent another instance of needing to patch further related vulnerabilities after the issues have been publicly disclosed (defined). This is sure to assist the system administrators of large organisations who currently in the process of deploying the existing updates or who may be testing systems on a phased basis to ensure performance is not compromised too much.

Further details are available from this link.

=======================
Update: 6th April 2018
=======================
Earlier this week, Intel issued a further progress update for the deployment of further microcode for their CPUs.

A further 5 families of CPUs have now completed testing and microcode updates are available. These families are:

    • Arrandale
    • Clarkdale
    • Lynnfield
    • Nehalem
    • Westmere

==================
However a further 9 families will not receive such updates for the reasons listed below. Those families are:

      • Micro-architectural characteristics that preclude a practical implementation of features mitigating [Spectre] Variant 2 (CVE-2017-5715)
      • Limited Commercially Available System Software support
      • Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.

==================

      • Bloomfield
      • Clarksfield
      • Gulftown
      • Harpertown Xeon
      • Jasper Forest
      • Penryn
      • SoFIA 3GR
      • Wolfdale
      • Yorkfield

This announcement from Intel means my Intel Core i7 Extreme 980X (from 2010) won’t receive an update. This system isn’t used very much on the internet and so the impact is limited. I am hoping to replace this system in the near future too.

Recommendations:

Please review the updated PDF made available by Intel (I can upload the PDF to this blog if Intel place it behind an account which requires sign in. At this time the PDF link still works).

As before; please monitor the websites for the manufacturer of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have to determine if these updates have been made available for your specific systems.

Thank you.

==================
BranchScope Vulnerability Disclosed:
In a related story; four security researchers from different universities responsibly disclosed (defined) a new side channel attack affecting Intel CPUs. This attack has the potential to obtain sensitive information from vulnerable systems (a similar result from the existing Meltdown and Spectre vulnerabilities).

Further details of this attack named “BranchScope” are available in this Softpedia article and this paper from the researchers. Within the above article Intel responded to this attack stating that this vulnerability is similar to known side channel and existing software mitigations (defined) are effective against this vulnerability. Their precise wording is provided below.

Thank you.

==================
An Intel spokesperson has provided the following statement:

“We have been working with these researchers and have determined the method they describe is similar to previously known side channel exploits. We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper. We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers.”
==================

=======================
Update: 13th April 2018
=======================
AMD have issued microcode (defined) updates for Windows 10 Version 1709 to enhance the protection of their customer’s against variant 2 (CVE-2017-5715) of the Spectre vulnerability. Further details of these updates are available within these KB articles: KB4093112 and KB3073119

Thank you.

Google offers financial and technical support to open source projects

Early last week Google shared their results after beginning a project to fuzz (defined) test open source software (defined). Their project is currently processing 10 trillion test cases per day. Open source projects involved in this initiative include GNUTLS, BoringSSL, FFMpeg, JSON, Libpng, LibreOffice, LibSSH, OpenSSL and Wireshark (among many well-known others).

What is the purpose of their project?
The purpose of fuzzing is to repeatedly and thoroughly test how robust/secure the code of the enrolled open source projects is. More than 1000 bugs have found so far (approximately 264 of which were potential security vulnerabilities).

As Google points out, this also helps to increase the reliability of the software being created since regressions (defined) are fixed within hours before they ever affect a user. Another aspect of this is other software bugs e.g. logic errors can be detected and corrected sooner.

In return for a project signing up to this initiative, Google have pledged to provide extra funding:

  1. $1,000 USD for initial integration of the OSS-Fuzz tests into their development process
  2. Up to $20,000 USD for ideal integration (an itemised list of how this figure is obtained is detailed here).

How this project become to be developed?
I have mentioned the Core Infrastructure Initiative (CII) on this blog before. This fuzzing project was created with assistance from the CII to benefit projects critical to the global IT infrastructure. This project is in progress alongside Project Wycheproof (with its objective to strengthen cryptographic implementations by having new implementations pass a series of tests to verify they are not affected by these particular implementation issues being checked for).

How does this project help the wider industry/community?
With projects such as those mentioned above used by large corporations, small business and consumers alike; the regular feature/security updates we all receive make these projects more stable and secure than they otherwise would be. The outcomes will be very similar to that of Pwn2Own.

With these benefits for the projects as well as all of their users, I hope projects such as this continue and expand in scope as time progresses.

Thank you.

Protecting Your Smart TV From Ransomware

In mid-2016 a news article detailed the possibility for Android powered Smart TVs to be infected by ransomware. Last month that prediction came true.

To recover the affected TV, you should reset it to factory default settings. You may need to contact the manufacturer if they don’t provide the steps to perform the reset as part of the devices documentation.

With 2017 predicted to break the record set in 2016 for ransomware, occurrences such as this will likely become more common.

Unfortunately, TV manufacturers are unlikely to pre-harden vulnerable devices before shipping them due to compatibility concerns and increased costs (during manufacturing and later support costs). To increase use of their after sales service they are again unlikely to publish the key sequences or button presses to perform a factory reset.

The ransomware encountered by this software developer was “just” a screen locker. It didn’t also try to encrypt any connected USB drives. Separately, a Symantec security researcher published a helpful list of mitigations to protect against ransomware targeting Smart TVs.

Continuing the trend of protecting Internet of Things (IoT) devices (defined), I hope that you find the above mitigations useful. Please also refer to this previous blog post for more general advice on preventing ransomware infections on your everyday computing devices (non IoT devices).

Thank you.

Disclosed Microsoft Zero Day Under Attack By APT Group

====================
Update: 8th November:
The Microsoft zero day vulnerability discussed in this post has now been patched. Please refer to this post for the appropriate information and download links.

Thank you.

====================
Original Post:
====================
Earlier this week Google publicly disclosed (defined) details of a new zero day (defined) vulnerability affecting supported versions of Windows up to Windows 10. Fortunately, the disclosure only included minimal details.

Why Should These Issues Be Considered Important?
The vulnerability disclosed by Google could result with an attacker being able to elevate their privileges (defined) on an affected system. However, when used in combination with a previously patched Adobe Flash Player vulnerability (reference previous post) this could result in a Windows system under your responsibility or in your ownership to have a backdoor (defined) installed.

Some good news is that this new exploit primarily targets organisations that operate in the following sectors (thus all other organisations are at somewhat reduced risk): government, intelligence or military organisations.

The nature of the backdoor is the decision of the attacker but would usually include a means of remaining persistent on the system and allowing the attacker to remote access the infected system. This backdoor can then be used to move data of the attacker’s choice off the affected system. The APT group known as STRONTIUM by Microsoft (other aliases used in the wider cyber security industry are APT28, also aka Sofacy aka Fancy Bear aka TsarTeam aka Sednit aka PawnStorm). STRONTIUM is also known for moving laterally throughout the network which they compromise (where the pass the hash (PtH) (defined) technique is the method of choice to do so).

How Can I Protect Myself From This Issue?
While a patch from Microsoft is in progress (scheduled for release on the 8th of November): follow safe email guidelines namely don’t click on unexpected/unsolicited links or open potentially dangerous email attachments to prevent the execution (carrying out of) the exploits actions in the first instance.

If you use the Microsoft Edge or Google Chrome web browsers the exploit for the local elevation of privilege vulnerability will be mitigated. This is due to Chrome’s sandbox (defined) blocking the use of API (defined) calls to the win32k.sys driver (defined). This in addition to its existing mitigations when installed on Windows 10 which I previously discussed.

Microsoft Edge on the other hand implements Code Integrity to prevent the next steps of exploitation.

To protect endpoints within your organisation you could consider utilising the logging capabilities of Microsoft EMET and Systinternals’ Sysmon by processing their logs using a SIEM (defined) and taking action when that SIEM a alerts you to suspicion activity. This is especially true since this exploit can occur from within web browsers, the Java JRE, Microsoft Word and Microsoft PowerPoint (namely that these applications are used to open suspicious/untrusted files).

My thanks to a colleague (you know who you are!) for compiling very useful information for this blog post.

Thank you.

Google Chrome Benefits From Windows 10 Security Mitigations

Earlier this year in February, Google added several new security mitigations (defined within this post) to Google Chrome that work in partnership with lesser known changes within the Windows 10 update (known as Build 10586 or Version 1511) made available by Microsoft in November last year.

How Do These New Techniques Work?
In total 3 new mitigations were added:

    1. Block un-trusted fonts
    On numerous occasions over the last year Microsoft have released security updates that address vulnerabilities related to Windows handling of fonts (examples here, here and here (among others)). Such vulnerabilities are of interest to attackers since when successfully exploited they provide the attacker with kernel mode privileges (defined). The concept of a kernel is defined here. A mitigation designed to make exploiting such vulnerabilities more difficult is present in the most recent version of Microsoft EMET version 5.5 and is discussed in more detail on page 11 of the EMET user guide as well as this TechNet article.

    Windows 10 features a system wide means of blocking the use of fonts to only the Windows Font directory (folder) by default located at: C:\Windows\Fonts However due to the application compatibility issues that this feature can cause it is turned off by default. While the ability to enable this security feature for running applications on a per process (defined) basis is available this is unsuitable for Chrome since it creates multiple processes with different security permissions applied. However, the November 2015 Windows 10 added the ability to enable the blocking of fonts for individual processes of which Chrome can now take advantage of.

    2. Block the creation of child processes
    This mitigation is intended to block an attacker’s exploit from creating new running processes without any restrictions of the Google Chrome sandbox (discussed below) on a Windows device if they are successful at exploiting Google Chrome. Google Chrome has always incorporated a protective sandbox (defined) that prevents malicious code from being able to make changes to the computer upon which Google Chrome is installed.

    To address a vulnerability reported by Google to Microsoft in late 2014; the Windows 10 November update provides the ability to applications (if they choose to use it) to block the ability to create child processes including console processes (disused further in the Google bug report linked to above). This new capability is now utilized by Google Chrome.

    3. Block the loading of DLLs (defined) from network drives
    While Windows provides the ability for an application to load a DLL from a network location (e.g. a mapped network drive); this can be used by an attacker to insert malicious code into a legitimate application (e.g. if they substitute a legitimate DLL in a network location with a malicious DLL of the same name).

    This ability has been disabled within Google Chrome when it’s installed on Windows 10 with the November 2015 update further hardening it against this type of attack. This capability is similar to the defences of Microsoft Edge against DLL injection.

    Conclusion
    All of the above new mitigations provide defence-in-depth (defined)(PDF) security against possible future vulnerabilities and provide further incentive for Windows users to migrate to Windows 10. Please do not misunderstand me I am not trying to advocate that users do so, I am simply pointing out the additional security features that are available if you choose to use Windows 10 (with the November update) and Google Chrome in combination.

    Thank you.

Google Releases Security Updates for Android (Feb and March 2016)

On the 7th of March Google released their scheduled security updates for their Android smartphone operating system. That update brings Androids build number to version LMY49H While Android version 6.0 (known as Marshmallow) with Security Patch Level of March 1, 2016 includes the appropriate fixes.

The March updates resolves 19 security vulnerabilities more formally known as CVEs (defined) of the following severities:

====================
7x critical severity CVEs
10x high severity CVEs
2x moderate severity CVEs
====================

Moreover, the previous February updates addresses 13 with the following severities:
====================
7x critical severity CVEs
4x high severity CVEs
2x moderate severity CVEs
====================

That update brings Androids build number to version LMY49G While Android version 6.0 (known as Marshmallow) with Security Patch Level of February 1, 2016 includes the appropriate fixes.

Why Should These Issues Be Considered Important?
For the March update 2 critical vulnerabilities in Mediaserver were fixed that could have allowed an attacker to use email, web browsing or an MMS message (defined) to process media files that would have allowed them to achieve remote code execution (namely to carry out any instructions/actions of their choice). The attacker would only have had to know the victim’s phone number.

Other notable flaws are the Elevation of Privilege in Conscrypt that could allow an attacker to use an invalid digital certificate allowing them to carry out a man-in-the-middle attack (defined).

The critical issue in the Qualcomm Performance Component if exploited would allow an attacker to run code with the privileges of the Android kernel (defined). The same was true of the Kernel Keyring bug. Android version 5.0 and above are however not vulnerable to this flaw if an attempt to exploit comes from 3rd party apps. If these flaws were to be exploited a manual re-flashing (defined) of the operating system would be required to recover from them.

Within the February update a critical issue in the Broadcom Wi-Fi Driver was fixed that could have been exploited by an attacker on the same Wi-Fi network by sending a malicious wireless control message packet (defined) to the phone which would not require any input from the user. The attacker could then run code with the same privileges as the Android kernel. Other critical and high vulnerabilities in the Qualcomm driver and Wi-Fi component respectively could have been exploited by an installed app to run code (have instructions carried out) with system privileges (defined).

How Can I Protect Myself From These Issues?
Updates to resolve these issues were made available by Google on 1st of February 2016 and the 7th of March 2016. Manufacturers such as Samsung/LG etc. received these updates on the 4th of January and 1st February respectively.

As mentioned by Sophos you may need to ask your device manufacturer or mobile carrier when this update will be made available to you. As discussed in a previous post regarding Android updates, please ensure to only apply updates from your mobile carrier or device manufacturer.

You may recall that I discussed the security update process for my Android phone in a previous blog post. An update has been made available by Sony, it’s dated the 8th of March 2016 (notably it’s still Android version 5.0 rather than 6.0). My phone is still using a build of Android from October 2015. I am hopeful to receive this update by the end of the month or very soon afterwards. Sony ‘s website provides release notes for the update which state that it includes “The latest security enhancements”.

Given that Google have released preview versions of the successor to Android version 6.0 (Marshmallow) known as “Nutella” sooner than expected it’s unclear whether Sony will update my phone in the future to Marshmallow or Nutella or simply end-of-life my phone in favor of a newer model. I will update post should my phone receive an update in the near future.

Thank you.

Google Releases Security Updates for Android

In early December 2015 and January 2016 Google made available further security updates for their Android smartphone operating system.

The December update addresses 16 security issues (all of which have been assigned CVE numbers (defined)(4x critical severity, 10x high severity and 2x moderate severity). That update brings Androids build number to version LMY48Z Android version 6.0 (known as Marshmallow) with Security Patch Level of December 1, 2015 or later address these issues. This update includes 2 fixes for security issues within libstagefright (both high severity) and 1 issue within both the Mediaserver (critical severity) and Media Framework (high severity) components.

Meanwhile the January update resolves 12 security issues (all assigned CVE numbers). That update when installed will show build version LMY49F As before, Android version 6.0 (known as Marshmallow) with Security Patch Level of January 1, 2016 or later address these issues. This update includes a fix for a critical issue in the Mediaserver component.

Why Should These Issues Be Considered Important?
As part of the December update a critical issue within Mediaserver was resolved that could be exploited by a remote attacker to allow them to carry out any instructions/actions of their choice (remote code execution). 3rd party applications could then be used to carry out the attacker’s actions with high privileges that they wouldn’t otherwise have. The issue can be exploited by sending specifically crafted media files within MMS messages (defined) or displaying those files on a specifically crafted webpage. Similar critical issues (3 in total) in the Skia graphics engine and Display driver can also use the above 2 means of attack mentioned above in addition to email. The final critical issue would have allowed malicious apps to carry out actions with root privilege (defined) allowing them full control over the smartphone.

For the January update if the MediaServer issue was exploited it could allow an attacker to use any emails, websites or MMS messages containing specifically crafted media files to remotely execute code (i.e. instructions or actions of their choice) due to a memory corruption issue corrected in this update. In addition, the critical issues corrected in the Display Driver (which interacts with high privilege with kernel) and the Android kernel (defined) are serious since the kernel can control any piece of the phones hardware and since it’s the core of the Android operating system it can be used to carry out any action/step since it has the highest level of privilege within the operating system.


How Can I Protect Myself From These Issues?

Updates to resolve these issues were made available by Google on 7th of December 2015 and 4th of January 2016. Manufacturers such as Samsung/LG etc. received these updates on the 2nd of November and the 7th of December respectively.

As mentioned by Sophos you may need to ask your device manufacturer or mobile carrier when this update will be made available to you. As discussed in a previous post regarding Android updates, please ensure to only apply updates from your mobile carrier or device manufacturer.

====
I followed this advice with my very recently purchased Sony smartphone which currently runs Android 5.0 (Lollipop). The Sony website shows that the latest build of Android they offer is already installed on my phone. The build is dated October 2015 (not shown in the image below). They do however show a logo below the build number that appears to suggest that at some time in the future the phone will receive Android 6.0 (Marshmallow). I have attached the image below:

Sony_Update

====
The “Android” name, the Android logo, and other trademarks are property of Google Inc.
Copyright © 2011-2016 Sony Mobile Communications Inc. All rights reserved
====

I also contacted my network carrier and they stated that the device can run these updated versions of Android and that there is no reason why it wouldn’t have received such updates (assuming auto-updates hasn’t been turned off). As I said it appears that I received such updates up to October 2015 (I purchased the phone in November). They stated that Marshmallow will be rolled out in the future but no other details were provided. Neither of these answers are perfect and clearly demonstrate that while updates are being made available by Google and are being provided to the mobile carriers the update process (being used by the mobile carriers) needs to be streamlined for much faster deployment. I hope that you have better luck than I did.

Thank you.