Google Updates Android for Linux Kernel Flaw
Google issued an emergency patch for an Android vulnerability. An unrelated Stagefright flaw is also raising concern.Facing multiple Android security challenges in March so far, Google is issuing an unprecedented mid-month emergency patch update. The emergency patch is not, however, related to reports of a new Stagefright flaw but, rather, is a known Linux kernel vulnerability that Google was scheduled to fix. Android Security Advisory 2016-03-18 is an out-of-band update for a privilege escalation vulnerability identified as CVE-2015-1805. As the CVE number implies, the vulnerability dates back to 2015 when it was first discovered in the upstream Linux kernel. While Google did not have a formal patch for the issue until March 18, Google's Verify Apps technology already was identifying and blocking apps that attempted to use the vulnerability. Verify Apps is a Google technology that works for both Google Play apps as well as apps installed from third-party sources as a scanning technology that looks for malicious components. Google noted in its security advisory that the CVE-2015-1805 was set to be included as a formal patch in a future Android update. That plan changed on March 15, when security firm Zimperium reported that it was aware of the CVE-2015-1805 vulnerability being used successfully to exploit a Nexus 5 device. "Google has confirmed the existence of a publicly available rooting application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide the device user with root privileges," Google warned in its advisory. "This issue is rated as a critical severity issue due to the possibility of a local privilege escalation and arbitrary code execution leading to local permanent device compromise."
The out-of-band update follows the scheduled Android March update that came out March 7. What's particularly interesting in the scheduled March update is that Google had also patched a pair of Linux kernel vulnerabilities in Android that had already been patched in the upstream Linux kernel project. At the time, Andrew Blaich, lead security analyst at Bluebox Security, prophetically warned that there were likely many other patches from the upstream Linux kernel that have not made it into Android yet that may have equal, if not worse, consequences than the pair patched in the scheduled March update.