Google goes into detail about the latest security update for Nexus devices and AOSP

[Brent D'Alessandro]

Nexus devices received a new OTA update this week (Build LMY48M), which fixes some security issues. Now, Google is going into more detail on exactly what those fixes were.

There are a total of eight vulnerabilities on the list with one to have been exploited in the wild. It is unclear if it was just someone rooting their device and trying it or if it was used maliciously.

Security vulnerability summary




Title


CVE


Severity


Active Exploitation


Remote Code Execution Vulnerability in Mediaserver


CVE-2015-3864


Critical


No


Elevation of Privilege Vulnerability in Kernel


CVE-2015-3636


Critical


Yes


Elevation of Privilege Vulnerability in Binder


CVE-2015-3845, CVE-2015-1528


High


No


Elevation of Privilege Vulnerability in Keystore


CVE-2015-3863


High


No


Elevation of Privilege Vulnerability in Region


CVE-2015-3849


High


No


Elevation of Privilege vulnerability in SMS enables notification bypass.


CVE-2015-3858


High


No


Elevation of Privilege Vulnerability in Lockscreen


CVE-2015-3860


Moderate


No


Denial of Service Vulnerability in Mediaserver


CVE-2015-3861


Low


No
​

Ars Technica say the two critical fixes will address vulnerabilities found in the libstagefright Android media library. These allowed users to execute harmful code on to users’ devices. Google has also been pushing manufactures and carriers to release Stagefright fixes over the past few months.

Zimperium Mobile Security have released proof of concept code proving how Stagefright vulnerabilities could be exploited.

Mitigation Techniques Used To Prevent Exploitation:

• Remote exploitation for many issues on Android versions 4.1 (Jelly Bean) and higher is mitigated by enhancements in the Address Space Layout Randomization (ASLR) algorithm used in those versions. Android 5.0 improved ASLR by requiring PIE (position-independent executable) for all dynamically linked executables further strengthening the ASLR protection. We encourage all users to update to the latest version of Android where possible.
• The Android Security team is actively monitoring for abuse of issues with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Device “rooting” tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known Rooting applications. Verify Apps will block installation of known “malicious” applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will attempt to automatically remove any such applications and notify the user.
• As appropriate, Google has updated the Hangouts and Messenger applications so that media is not automatically passed to vulnerable processes (such as Mediaserver.)

Source: Google
Via: Android Police



Come comment on this article: Google goes into detail about the latest security update for Nexus devices and AOSP

Visit TalkAndroid for Android news, Android guides, and much more!​

News via TalkAndroid