Facing multiple Android security challenges in March so far, Google is issuing an unprecedented mid-month emergency patch update. The emergency patch is not, however, related to reports of a new Stagefright flaw but, rather, is a known Linux kernel vulnerability that Google was scheduled to fix.
Android Security Advisory 2016-03-18 is an out-of-band update for a privilege escalation vulnerability identified as CVE-2015-1805. As the CVE number implies, the vulnerability dates back to 2015 when it was first discovered in the upstream Linux kernel. While Google did not have a formal patch for the issue until March 18, Google’s Verify Apps technology already was identifying and blocking apps that attempted to use the vulnerability. Verify Apps is a Google technology that works for both Google Play apps as well as apps installed from third-party sources as a scanning technology that looks for malicious components.
Google noted in its security advisory that the CVE-2015-1805 was set to be included as a formal patch in a future Android update. That plan changed on March 15, when security firm Zimperium reported that it was aware of the CVE-2015-1805 vulnerability being used successfully to exploit a Nexus 5 device.
“Google has confirmed the existence of a publicly available rooting application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide the device user with root privileges,” Google warned in its advisory. “This issue is rated as a critical severity issue due to the possibility of a local privilege escalation and arbitrary code execution leading to local permanent device compromise.”
The out-of-band update follows the scheduled Android March update that came out March 7. What’s particularly interesting in the scheduled March update is that Google had also patched a pair of Linux kernel vulnerabilities in Android that had already been patched in the upstream Linux kernel project. At the time, Andrew Blaich, lead security analyst at Bluebox Security, prophetically warned that there were likely many other patches from the upstream Linux kernel that have not made it into Android yet that may have equal, if not worse, consequences than the pair patched in the scheduled March update.
Of note also is the fact that in the scheduled March 7 update, Google patched a high-severity issue identified as CVE-2016-0824 in the Stagefright media library. Google has patched the libstagefright (Stagefright) and Android media libraries multiple times since August 2015, when Zimperium zLabs Vice President of Platform Research and Exploitation Joshua Drake first disclosed the Stagefright flaw.
Coincidentally, Zimperium is the firm that reported to Google that the CVE-2015-1805 vulnerability, which is the focus of the new out-of-band patch, is being exploited.
In unrelated research, security firm NorthBit reported on March 18 that a Stagefright exploit it referred to as Metaphor is attacking Android. The Metaphor exploit makes use of a vulnerability identified as CVE-2015-3864, which Google patched in August 2015. Even back in August when the CVE-2015-3864 vulnerability was first publicly reported, Google officials were downplaying the potential impact.
“Currently over 90 percent of Android devices have a technology called ASLR [address space layout randomization] enabled, which protects users from this issue,” Google wrote in a statement to eWEEK at the time.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.