Tag Archives: Nexus

Google Releases Security Updates for Android (April 2016)

In the first week of April; Google made available a scheduled security update for their Android smartphone operating system. Android devices with a security patch level of April 2, 2016 include all of the fixes within Google’s most recent security advisory.

The April updates resolve 39 security vulnerabilities more formally known as CVEs (defined) of the following severities:

====================
15x critical severity CVEs
16x high severity CVEs
8x moderate severity CVEs
====================

Why Should These Issues Be Considered Important?
On the 18th of March Google released an out of band (unscheduled) security update to resolve a local elevation of privilege (defined) vulnerability.

This vulnerability was present in the Android kernel (defined). This issue was used in a public exploit against a Google Nexus 5 and was detected by security firm Zimperium who then reported it to Google on March 15th.

This issue was assigned a critical severity rating since it escalates privileges on a vulnerable Android device which can lead to arbitrary code execution (instructions of an attacker choice can be carried out) as well as permanently compromising the device (which can only be resolved by re-flashing the device as described in a previous blog post).

Other critical issues resolved by this update were present in the DHCP (defined) service known as DHCPCD. This could have been exploited by an installed malicious app allowing an attacker to run (carry out) arbitrary code execution. The remaining critical issues involved the Qualcomm Performance Module and RF driver (defined). Exploitation would have allowed an attacker to run code with the same privileges as the Android kernel. Both of these issues if exploited would require re-flashing an affected device since they lead to a permanent device compromise.

Finally, 13 issues (of critical and high severity) that are related to the previous Stagefright vulnerabilities were also resolved. These vulnerabilities continue to arise due to the increased attention towards the MediaServer component of Android from security researchers after last year’s disclosure of the original Stagefright issue.


How Can I Protect Myself From These Issues?

Updates to resolve these issues were made available by Google on 4th of April 2016. Manufacturers such as Samsung/LG etc. received these updates on the 16th of March.

As mentioned by Sophos you may need to ask your device manufacturer or mobile carrier when this update will be made available to you. As discussed in a previous post regarding Android updates, please ensure to only apply updates from your mobile carrier or device manufacturer.

In my previous post discussing Android security updates; I mentioned that a single update to my Sony smartphone was made available on the 8th of March. At the time of writing I still have not received this update. As before, I hope that you are more successful with your phone receiving the appropriate update as soon as possible.

Thank you.

Google Releases Security Updates for Android (Feb and March 2016)

On the 7th of March Google released their scheduled security updates for their Android smartphone operating system. That update brings Androids build number to version LMY49H While Android version 6.0 (known as Marshmallow) with Security Patch Level of March 1, 2016 includes the appropriate fixes.

The March updates resolves 19 security vulnerabilities more formally known as CVEs (defined) of the following severities:

====================
7x critical severity CVEs
10x high severity CVEs
2x moderate severity CVEs
====================

Moreover, the previous February updates addresses 13 with the following severities:
====================
7x critical severity CVEs
4x high severity CVEs
2x moderate severity CVEs
====================

That update brings Androids build number to version LMY49G While Android version 6.0 (known as Marshmallow) with Security Patch Level of February 1, 2016 includes the appropriate fixes.

Why Should These Issues Be Considered Important?
For the March update 2 critical vulnerabilities in Mediaserver were fixed that could have allowed an attacker to use email, web browsing or an MMS message (defined) to process media files that would have allowed them to achieve remote code execution (namely to carry out any instructions/actions of their choice). The attacker would only have had to know the victim’s phone number.

Other notable flaws are the Elevation of Privilege in Conscrypt that could allow an attacker to use an invalid digital certificate allowing them to carry out a man-in-the-middle attack (defined).

The critical issue in the Qualcomm Performance Component if exploited would allow an attacker to run code with the privileges of the Android kernel (defined). The same was true of the Kernel Keyring bug. Android version 5.0 and above are however not vulnerable to this flaw if an attempt to exploit comes from 3rd party apps. If these flaws were to be exploited a manual re-flashing (defined) of the operating system would be required to recover from them.

Within the February update a critical issue in the Broadcom Wi-Fi Driver was fixed that could have been exploited by an attacker on the same Wi-Fi network by sending a malicious wireless control message packet (defined) to the phone which would not require any input from the user. The attacker could then run code with the same privileges as the Android kernel. Other critical and high vulnerabilities in the Qualcomm driver and Wi-Fi component respectively could have been exploited by an installed app to run code (have instructions carried out) with system privileges (defined).

How Can I Protect Myself From These Issues?
Updates to resolve these issues were made available by Google on 1st of February 2016 and the 7th of March 2016. Manufacturers such as Samsung/LG etc. received these updates on the 4th of January and 1st February respectively.

As mentioned by Sophos you may need to ask your device manufacturer or mobile carrier when this update will be made available to you. As discussed in a previous post regarding Android updates, please ensure to only apply updates from your mobile carrier or device manufacturer.

You may recall that I discussed the security update process for my Android phone in a previous blog post. An update has been made available by Sony, it’s dated the 8th of March 2016 (notably it’s still Android version 5.0 rather than 6.0). My phone is still using a build of Android from October 2015. I am hopeful to receive this update by the end of the month or very soon afterwards. Sony ‘s website provides release notes for the update which state that it includes “The latest security enhancements”.

Given that Google have released preview versions of the successor to Android version 6.0 (Marshmallow) known as “Nutella” sooner than expected it’s unclear whether Sony will update my phone in the future to Marshmallow or Nutella or simply end-of-life my phone in favor of a newer model. I will update post should my phone receive an update in the near future.

Thank you.

Google Addresses Android Lockscreen Issue

Earlier this month Google released a security update to address 8 CVEs (defined) (2x critical severity, 4x high, 1x moderate, 1x low) within the Android smartphone operating system.

Among these issues was an Android lockscreen bypass. This issue involved entering a very large number of characters into the password prompt of the Android lockscreen when the Camera app is also open.

How Severe Is This Issue?
Google assigned it a moderate severity since it is an easy but tedious process to exploit this bug. In addition, this issue is only present if you are using a password to protect the lockscreen of your Android smartphone. More common methods of entering a PIN or using a pattern lock do not appear to be affected by this issue.

Moreover once exploited the attack will only have access to the apps on the home screen, they don’t obtain access to soft buttons or the keyboard. The security researcher who reported this issue to Google used Android Debug Bridge (adb) to access any data on the phone once it was in this partially unlocked state. Further discussion of this issue is provided in this Sophos blog post.

How Can I Protect Myself From This Issue?
Google released an over the air security update for its Nexus devices to fix this lockscreen (as well as other security issues). Please ensure that your Android device is running version 5.x (build LMY48M or later) to resolve this and the other security issues.

If your mobile carrier has not yet issued this update to your Android phone, please consider contacting them to check when this update will be issued to you and if possible find out how they plan on updating your phone each month as Google make updates available.

Thank you.

Google Android Stagefright Issues Patched

Update: 10th January 2016:
Further updates addressing newer issues within libstagefright have been made available. Please see this more recent blog post for details.

Thank you.

=======================
Update: 17th November 2015:
Further updates addressing newer Stagefright issues have been made available. Please see this more recent blog post for details.

Thank you.

=======================

Update: 5th October 2015:
A new set of security issues related to Stagefright has been disclosed. They are referred to as Stagefright 2.0. How to address these new issues is discussed in a more recent blog post.

Thank you.
=======================

Update: 13th August 2015:

According to this article, the patches that were intended to resolve the issues discussed in this post were incomplete. Further fixes will be made available in September. Further details are provided in the article linked to above. Thank you.
=======================

Update: 9th September 2015: The exploit code for the Android Stagefright issues as been released by the security researcher who discovered the issue. In addition, the researcher has worked with Google to create an app to check if an Android device is vulnerable. Moreover they are continuning to work with Google to add a check for this vulnerability to Android’s Compatibility Test Suite (CTS) to ensure all future Android devices ship with this issue fixed.

According to this article, the September update from Google to resolve the remaining means of exploiting the Stagefright has not yet been released but should be later this month.

=======================

=======================
Update: 15th September 2015: According to this article on Ars Technica, Google have begun to release the first batch of monthly security updates for Android for it’s Nexus devices. It will be interesting to see how quickly the OEM device makers and mobile carriers issue their updates. As this is the first time to release such updates it may take time for these update processes to be streamlined.

As mentioned below in the updated suggestions to protect yourself from the Android Stagefright issue, if you are using Mozilla Firefox for Android, please ensure that you are using the most recent version to ensure that you are protected from this issue. The steps to install updates for Firefox for Android are provided here.

Thank you.
=======================

Original Post:
In the middle of last week a series of security vulnerabilities were patched/updated in the Stagefright media playback service of Google Android smartphones (initial details of these issues became available a week before the updates).

There are 10 security issues in total assigned to 7 CVEs (CVE, defined). They consist of a buffer overflow and several integer overflow and underflow vulnerabilities (see Asides below definitions of these terms). These issues are present in all versions of Android since version 2.2 (codenamed Froyo) up to Android 5.1.1_r9 (codenamed Lollipop).

Why Should These Issues Be Considered Important?
While it is estimated that up to 950 million Android smartphones are affected by these security issues, more than 90 percent of them are protected by security mitigations (namely Address Space Layout Randomization (ASLR)) built into Android since version 4.0 (codenamed Ice Cream Sandwich). Additional improvements were made to the ASLR mitigation of Android in version 4.1 (Jelly Bean). However these mitigations make exploiting the Stagefright issues much more difficult but not impossible.

These security issues can be exploited by an attacker sending a specifically crafted Multimedia Messaging System (MMS) message (MMS, defined). To do this, the attacker only needs to know your phone number. MMS messages are processed automatically by most Android phones providing the attacker with the possibility of executing arbitrary shellcode (shellcode, defined) on your phone.

How Can I Protect Myself From These Issues?
Sophos provides practical advice on both mitigating the issue until a patch is available for your phone and how to obtain the patch for your phone. Further advice is available in Zimperium’s blog post and this CERT knowledge base article. Apologies that some of this information overlaps/is repeated but each link does contain useful information.

The good news that has occurred since more information was provided on these issues by the person who discovered them (Joshua Drake of Zimperium) last week in his BlackHat security lecture is that Google and Samsung have pledged to provide monthly security updates for their Nexus and Galaxy smartphones (respectively). LG have also pledged to do the same.

In addition, fixes to security issues will be made available to mobile carriers (mobile providers) sooner. This should result in a less complicated means of updating when future security vulnerabilities are discovered. The new monthly update process should keep Android smartphones much more secure in the future, this improvement is long overdue.

Update: 15th September 2015: In addition, if you are using Mozilla Firefox for Android, please ensure that you are using the most recent version to ensure that you are protected from this issue. The steps to install updates for Firefox for Android are provided here.

Thank you.

=======================
Aside:
What is an integer overflow?

When the value of an integer being used by a computing device becomes too large to be represented accurately e.g. on some systems the maximum value of an integer is 32767 (namely 2 ^ 15 -1). If a value higher than this is used to access a location in computer memory, that value may wrap around (begin counting from the beginning again resulting in a very small value or in a value less than its minimum value).

At best this will result in the program using that value crashing or getting caught in an infinite loop (performing the same action again and again without ending). At worst, an attack could use an integer overflow to overflow a buffer (a region in computer memory set aside (allocated) to hold a data or a value). This happens because the extra-large integer value flows over into parts of memory that it was not intended to.

This can result in an attack being able to run/execute code of their choice by overwriting the return pointer of the program (due to the overflow that has happened) with a value of the attackers choosing. That value is placed there by the overspill into adjacent memory segments. When an operation is completed, instead of the program returning (using the location the return pointer is referencing) to the place where it was originally asked (called from) the program will instead go to the place in memory where the attacker has stored malicious code (since the attacker supplied this location by inserting a value of their choice as mentioned above).

That code can then run with the same privileges of the program which suffered the overflow. The overwriting of the return pointer was one reason for Microsoft adding defences (namely guard stack cookies) part of the /GS mitigations to Windows Vista and all later versions of Windows. The other reason was being able to detect such buffer overflows and terminate the program which had suffered the overflow. By terminating/force closing the program the attack is immediately halted and the system remains secure. The /GS mitigation is explained in more depth here, here and here.

In explaining the integer overflow attack I have also defined the outcome of a buffer overflow attack.

Update: 25th August 2015: An individual definition of a buffer overflow attack is provided in a more recent blog post. Further mitigations for buffer overflow attacks are also discussed in that post.

=======================
Update: 17th September 2015:
A detailed definition of a stack overflow is provided in a more recent blog post. This similar type of overflow can be a useful addition to the explanations of overflows in this post. Thank you.
=======================

=======================
Aside 2:
What is an integer underflow?

Integer variables within computer programming languages such as C generally can store numbers in the range of -2,147,483,647 to 2,147,438,647. While the range of an unsigned integer ranges from 0 to 4,294,967,295.

If 2 numbers are subtracted from another and the result is less than -2,147,483,647 this will cause an integer underflow since the result cannot be represented correctly and thus will be incorrect when the computer accesses that result. This is because only a partial result will be shown since not enough digits are available to represent the full number. If the result is used to access a certain position in an array (called an index) the position accessed will result in an out of bounds error most likely crashing the program.

An array is a group of memory locations within a program allocated to store data of the same type e.g. integer, floating point etc. It is similar to have a filing cabinet with multiple folders inside. Arrays would store data in folders starting from 0 e.g. folder0, folder1, folder2 etc. The index mentioned above determines the number of the folder in this example being accessed. Arrays are usually accessed using loops within a program.

The above example is for signed integers however underflows can also occur with unsigned integers.

In a similar manner to that described for integer overflows, underflows can be used to trigger the execution (performing actions)/running of code of an attackers choice.
=======================