Categories: Security

Google Updates Android For Linux Kernel Flaw

Facing multiple Android security challenges in March so far, Google is issuing an unprecedented mid-month emergency patch update. The emergency patch is not, however, related to reports of a new Stagefright flaw but, rather, is a known Linux kernel vulnerability that Google was scheduled to fix.

Android Security Advisory 2016-03-18 is an out-of-band update for a privilege escalation vulnerability identified as CVE-2015-1805. As the CVE number implies, the vulnerability dates back to 2015 when it was first discovered in the upstream Linux kernel. While Google did not have a formal patch for the issue until March 18, Google’s Verify Apps technology already was identifying and blocking apps that attempted to use the vulnerability. Verify Apps is a Google technology that works for both Google Play apps as well as apps installed from third-party sources as a scanning technology that looks for malicious components.

Nexus 5 exploit

Google noted in its security advisory that the CVE-2015-1805 was set to be included as a formal patch in a future Android update. That plan changed on March 15, when security firm Zimperium reported that it was aware of the CVE-2015-1805 vulnerability being used successfully to exploit a Nexus 5 device.

“Google has confirmed the existence of a publicly available rooting application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide the device user with root privileges,” Google warned in itsadvisory. “This issue is rated as a critical severity issue due to the possibility of a local privilege escalation and arbitrary code execution leading to local permanent device compromise.”

The out-of-band update follows the scheduled Android March update that came out March 7. What’s particularly interesting in the scheduled March update is that Google had also patched a pair of Linux kernel vulnerabilities in Android that had already been patched in the upstream Linux kernel project. At the time, Andrew Blaich, lead security analyst at Bluebox Security, prophetically warned that there were likely many other patches from the upstream Linux kernel that have not made it into Android yet that may have equal, if not worse, consequences than the pair patched in the scheduled March update.

Of note also is the fact that in the scheduled March 7 update, Google patched a high-severity issue identified as CVE-2016-0824 in the Stagefright media library. Google has patched the libstagefright (Stagefright) and Android media libraries multiple times since August 2015, when Zimperium zLabs Vice President of Platform Research and Exploitation Joshua Drake first disclosed the Stagefright flaw.

Coincidentally, Zimperium is the firm that reported to Google that the CVE-2015-1805 vulnerability, which is the focus of the new out-of-band patch, is being exploited.

In unrelated research, security firm NorthBit reported on March 18 that a Stagefright exploit it referred to as Metaphor is attacking Android. The Metaphor exploit makes use of a vulnerability identified as CVE-2015-3864, which Google patched in August 2015. Even back in August when the CVE-2015-3864 vulnerability was first publicly reported, Google officials were downplaying the potential impact.

“Currently over 90 percent of Android devices have a technology called ASLR [address space layout randomization] enabled, which protects users from this issue,” Google wrote in a statement to eWEEK at the time.

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Google, DOJ Closing Arguments Clash Over Search ‘Monopoly’

Google clashes with US Justice Department in closing arguments as government argues Google used illegal…

6 hours ago

Stanford AI Scientist Working On ‘Spatial Intelligence’ Start-Up

Prominent Stanford University AI scientist Fei-Fei Li reportedly completes funding round for start-up based on…

6 hours ago

Apple Shares Surge Ahead Of New AI Hardware Launches

Apple shares surge on optimism that new AI-focused hardware launches will drive renewed sales, starting…

7 hours ago

Biden Vetoes Republican Measure In Row Over Contractors’ Unions

Biden vetoes Republican-backed measure amidst dispute over 'joint employer' status for contract workers, affecting tech…

7 hours ago

Lawyers Say Strict Child Controls In China Show TikTok Could Do Better

Lawyers in US social media addiction action say strict controls on Douyin in China show…

8 hours ago

London Black Cabs Sue Uber In Latest Legal Tangle

More than 10,000 London black cab drivers sue Uber claiming company acted illegally to obtain…

8 hours ago