Google is pushing out its March Android security update, providing users with security fixes for 19 vulnerabilities, of which four are rated critical, eight have high severity and two are rated moderate.
Among the high-severity issues is CVE-2016-0824, an information-disclosure vulnerability in the much-maligned Android libstagefright (Stagefright) media library.
Flaws in Stagefright were first publicly disclosed in July 2015 by Zimperium zLabs Vice President of Platform Research and Exploitation Joshua Drake. The initial Stagefright flaws have been followed in the months since with a near-continuous stream of subsequent Stagefright flaws patched in Google’s monthly update for Android. In fact, Google only began its monthly updates for Android in response to Stagefright in a bid to help bring patches to users faster.
Though Google has already patched multiple Stagefright-related flaws to date, Andrew Blaich, lead security analyst at Bluebox Security, expects users to continue to see patches in Stagefright or related libraries.
“These libraries are having a lot of eyes looking at them all of a sudden, and what we’re experiencing is a security audit being done in the wild at a global scale,” Blaich told eWEEK.
Among the related libraries is the core Android mediaserver, which Google is patching this month for six different vulnerabilities. Two of the issues (CVE-2016-0815 and CVE-2016-0816) are identified as critical vulnerabilities in mediaserver that could lead to a potential remote-code execution.
Another two issues (CVE-2016-0826 and CVE-2016-0827) are privilege escalation vulnerabilities in Android that Google rates as high-severity issues. Google has identified two more high-severity issues (CVE-2016-0828 and CVE-2016-0829) in mediaserver as information-disclosure vulnerabilities.
Beyond Stagefright and its related Android media libraries, Google is now also finally getting around to updating Android for flaws that were patched in the upstream Linux kernel in 2015. Google identified the CVE-2016-0823 issue as a high-severity information disclosure vulnerability in the kernel, while CVE-2016-0821 is a high-severity mitigation bypass vulnerability in the kernel.
The fact that there are Linux security vulnerabilities that have already been patched in the upstream kernel, but not in Android, isn’t surprising, Blaich said. “There are probably many patches like CVE-2016-0823 and CVE-2016-0821 that have not made it into Android yet that may have equal, if not worse, consequences,” Blaich said. “This is par for the course with Android.”
Updating software takes time, especially when bringing patches from one project into another, Blaich said, adding that there is definitely room for improvement to get patches into Android faster, which then takes even longer to make it into the hands of consumers. Google makes its monthly patches freely available for supported Nexus device users.
Google has publicly issued 123 fixes since it started the monthly Android security bulletin in August, Blaich explained.
“However, while Nexus devices are receiving these fixes, non-Nexus devices are not getting them in a timely manner, if at all,” he said.
Of the 123 fixes Google has issued since August, 45 percent have been critical. Blaich commented that this means that all of the unpatched Android devices are at risk of being compromised, exploited and having personal data stolen, sometimes remotely, without the attacker needing access to the device.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.