Facing multiple Android security challenges in March so far, Google is issuing an unprecedented mid-month emergency patch update. The emergency patch is not, however, related to reports of a new Stagefright flaw but, rather, is a known Linux kernel vulnerability that Google was scheduled to fix.
Android Security Advisory 2016-03-18 is an out-of-band update for a privilege escalation vulnerability identified as CVE-2015-1805. As the CVE number implies, the vulnerability dates back to 2015 when it was first discovered in the upstream Linux kernel. While Google did not have a formal patch for the issue until March 18, Google’s Verify Apps technology already was identifying and blocking apps that attempted to use the vulnerability. Verify Apps is a Google technology that works for both Google Play apps as well as apps installed from third-party sources as a scanning technology that looks for malicious components.
Google noted in its security advisory that the CVE-2015-1805 was set to be included as a formal patch in a future Android update. That plan changed on March 15, when security firm Zimperium reported that it was aware of the CVE-2015-1805 vulnerability being used successfully to exploit a Nexus 5 device.
The out-of-band update follows the scheduled Android March update that came out March 7. What’s particularly interesting in the scheduled March update is that Google had also patched a pair of Linux kernel vulnerabilities in Android that had already been patched in the upstream Linux kernel project. At the time, Andrew Blaich, lead security analyst at Bluebox Security, prophetically warned that there were likely many other patches from the upstream Linux kernel that have not made it into Android yet that may have equal, if not worse, consequences than the pair patched in the scheduled March update.
Of note also is the fact that in the scheduled March 7 update, Google patched a high-severity issue identified as CVE-2016-0824 in the Stagefright media library. Google has patched the libstagefright (Stagefright) and Android media libraries multiple times since August 2015, when Zimperium zLabs Vice President of Platform Research and Exploitation Joshua Drake first disclosed the Stagefright flaw.
Coincidentally, Zimperium is the firm that reported to Google that the CVE-2015-1805 vulnerability, which is the focus of the new out-of-band patch, is being exploited.
In unrelated research, security firm NorthBit reported on March 18 that a Stagefright exploit it referred to as Metaphor is attacking Android. The Metaphor exploit makes use of a vulnerability identified as CVE-2015-3864, which Google patched in August 2015. Even back in August when the CVE-2015-3864 vulnerability was first publicly reported, Google officials were downplaying the potential impact.
“Currently over 90 percent of Android devices have a technology called ASLR [address space layout randomization] enabled, which protects users from this issue,” Google wrote in a statement to eWEEK at the time.
Originally published on eWeek.
Google clashes with US Justice Department in closing arguments as government argues Google used illegal…
Prominent Stanford University AI scientist Fei-Fei Li reportedly completes funding round for start-up based on…
Apple shares surge on optimism that new AI-focused hardware launches will drive renewed sales, starting…
Biden vetoes Republican-backed measure amidst dispute over 'joint employer' status for contract workers, affecting tech…
Lawyers in US social media addiction action say strict controls on Douyin in China show…
More than 10,000 London black cab drivers sue Uber claiming company acted illegally to obtain…