As promised, Google is continuing to issue monthly Android security updates in an effort to keep users safe. The November update is now out, marking the fourth update since Google started monthly updates after the Stagefright Android flaw was first reported in July. Google’s Android Security Chief Adrian Ludwig first committed the company to a new monthly update cycle for Android at the Black Hat USA conference in August.
Yet another Stagefright-related flaw is now being patched in Android. Stagefright, or more accurately libstagefright, is actually a library of code, not the name of an issue itself. As such, “Stagefright issues” are bugs in that specific library within Android.
The first patch of Stagefright-related bugs came from Google in August, with a second bundle that security researchers dubbed Stagefright 2 that was patched in the October update.
Two of the new issues, including one in libstagefright, that are being patched in the November Android update were reported to Google by security firm Trend Micro. Google identified CVE-2015-6610 as an elevation-of-privilege vulnerability in libstagefright, while CVE-2015-6611 is an information-disclosure vulnerability in the media server.
Christopher Budd, global threat communications manager at Trend Micro, told eWEEK that, to date, his company does not have any evidence that the CVE-2015-6610 and CVE-2015-6611 vulnerabilities are under active attack.
Daniel Micay, a security researcher at Copperhead Security, is credited by Google for reporting CVE-2015-6609, a remote code execution vulnerability in the libutils library.
“A vulnerability in libutils, a generic library, can be exploited during audio file processing,” Google warns in its advisory. “This vulnerability could allow an attacker, during processing of a specially crafted file, to cause memory corruption and remote code execution.”
Micay, no stranger to Android security vulnerability disclosure, received credit from Google for reporting CVE-2015-3875 in the October update. That vulnerability also was reported by Joshua Drake, Zimperium zLabs vice president of platform research and exploitation.
Drake is the original discoverer of the libstagefright vulnerabilities first reported in July. Now, in November, Drake isn’t surprised that vulnerabilities are still being patched in the libstagefright library.
“The code was clearly written without much concern for security, safety or robustness,” Drake told eWEEK. “It will take time and sustained effort to clean it up.
Looking specifically at the CVE-2015-6610 libstagefright vulnerability in the November update reported by Trend Micro, Drake doesn’t see the same degree of severity as prior issues. He noted that the issue appears to require some level of access to the device to execute the attack.
“After looking at the fix for that issue, it seems triggering the vulnerability would require a very large file: 1.3GB,” Drake said. “Such a file would take significant time to transfer, making remote attacks utilizing this issue very unlikely. So, in short, it doesn’t appear to be as serious as issues we’ve previously reported, especially those in the first round.”
While Drake is not credited with reporting any of the issues fixed in the November Android update, he has reported multiple additional issues to Google that haven’t yet been addressed.
“There hasn’t been any status change on the issues we have outstanding with Google,” Drake said. “They are currently sitting in a state where we haven’t proven that a code path with security consequences exists.”
Though Drake has received some notoriety for his Stagefright disclosures, which included a talk at the Black Hat USA 2015 event in Las Vegas, he’s now focused on other challenges.
“Personally, I’ve moved on from researching the security properties of libstagefright for the time being to working on other projects,” Drake said. “There’s a strong chance I’ll take a look again, but for now, it’s up to the greater community to further our work.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.