This article is more than 1 year old

Google proffers plugs in Android MMS pwnfest

Crack Chrome team, Project Zero bod, out yet another phone hijack nasty

Google has slung a new set of patches at the vulnerability hub that is Android media processing, fixing four critical flaws and 10 high-severity bugs.

The vulnerabilities could allow user phones to be compromised through a variety of means including MMS, email, and following web links.

Nexus users get the fixes first along with those running neat AOSP (Android Open Source Project).

"The most severe of these issues is a critical security vulnerability (CVE-2015-6616) that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," Google security bods say in an advisory.

"The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. This issue is rated as a critical severity due to the possibility of remote code execution within the context of the mediaserver service [which] has access to audio and video streams as well as access to privileges that third-party apps cannot normally access."

Google does not know of any active attacks against the bugs.

The nastiest flaw (CVE-2015-6616) was uncovered with the help of Google Project Zero peep (and Tamagotchi defiler) Natalie Silvanovich, together with three Chrome security men, and Peter Pi of Trend Micro.

The Chrome team found a further six flaws, while iPhone jailbreakers Qidan He and Marco Grassi of Keen Team found two high severity holes (CVE-2015-6620, CVE-2015-6622).

Users of Google Hangouts and Messenger are, unlike those of other apps, no longer automatically hoseable through malicious MMS since automatic parsing was flicked off after the attacks were first revealed this year.

The area has been a focus of recent security research. In July researchers uncovered the Stagefright hijacking vulnerability and days later holes that allowed attackers to leave phones comatosed. Google patched some of the flaws last month.

Patches will hit AOSP in two days and most other stock Android handsets probably eventually ... or never, depending on whether handset-makers and carriers take the issue seriously. ®

More about

TIP US OFF

Send us news


Other stories you might like