Sophos Cloud Optix
Google’s latest Nexus Security Bulletin is out.
The February 2016 updates were announced yesterday, making it what you might call a “partial patch Monday.”
Google told its commercial partners about the month’s security holes back at the start of 2016, but the fixes will only be released to the Android Open Source Project (AOSP) over the course of today or tomorrow.
That’s ironic, considering Android’s open-sourced, GNU Public Licensed core – you might expect the GPL to come first in all of this – but the delay is presumably a way of letting keen Nexus users get their updates installed before at least some of the bugs get openly “documented” in the AOSP files.
Of course, the current wave of updates only apply to Google’s Nexus devices.
If you have a device from a different vendor or carrier, your mileage may (indeed, probably will) vary.
Additionally, the updates only apply to some Nexus devices.
Unfortunately Google doesn’t bother to list explicitly which Nexus models are excluded from what it calls, simply, “Nexus devices.”
You can head over to the official Android Nexus firmware pages to try to find out; as far as we can see, the Nexus 7 2012 and the Nexus 4 are stuck on unpatched versions of Lollipop (Android 5), and the Nexus Q and earlier devices are effectively abandonware, with old Android 4 releases the most recent you will get.
The bug fixes this month include five listed as critical:
The first two vulnerabilities on the list are the most critical of the criticals, because they allow remote code execution.
In the case of the Broadcom Wi-Fi driver bugs, anyone else on the same network as you (at the coffee shop, for instance) could trick your Android into running malware.
Google’s bulletin doesn’t say, but we’re guessing that the Broadcom bug is essentially an elevation of privilege flaw at the same time, assuming that any remotely-injected code runs in the context of the driver, thus giving it kernel-level powers.
The Mediaserver bugs probably sounds familiar, and so they should: this is essentially Stagefright all over again.
Mediaserver is a core Android component that provides the code needed for processing and then displaying or playing a wide range of image, video and audio files.
Unfortunately, handling multimedia files safely needs incredible care when programming, due to the complexity of the many file formats involved, and the risk of memory-related bugs when trying to convert files such as heavily compressed videos into a sequence of individual image frames for display.
Any image or audio rendering software that sometimes crashes when reading corrupted files may be exploitable, if the crash can be cleverly orchestrated by a crook who crafts a corrupt file that misbehaves predictably (if that is not an oxymoron).
Worse still, multimedia files often get processed automatically during mailing, web browsing and instant messaging, which gives crooks multiple ways to sneak in using booby-trapped files.
Unfortunately, to be competitive, multimedia rendering software has to have as many features as possible so it can handle just about any file type that users might want to view or listen to.
But to be secure, it really ought to cut back on the number of file formats it can handle, and on the number of obscure features that it can deal with in each supported file type.
This makes the code easier to audit, and less likely to contain rarely-used components that simply haven’t had enough scrutiny or testing over the years.
Given the prevalance of multimedia-related bugs that have shown up in Android since the world went looking in earnest in 2015, when Stagefright was announced, perhaps Google will consider a configuration setting that removes support for all but the most prevalent formats as a way of reducing your attack surface area?
💡 LEARN MORE: How to turn off Android’s autoprocessing of multimedia files via MMS ►
Seems to me that the “patchy” (pardon the pun) of Android updates is its most serious flaw ? Amazing that this has not become a major issue – perhaps the average user doesn’t concern him/herself with these matters. Where’s does all this leave one ? Android – fragmentation and update issues, iOS – closed shop/walled garden, Windows phones – limited App Store ?
oh, but for the Windows phone whose most grievous hindrance is sparse app selection..
sorry 🙂
/jab
“Of course, the current wave of updates only apply to Google’s Nexus devices”
Isn’t this the same update BlackBerry released yesterday?
This is why a major chunk of Android components are being separated from Android itself and delivered via the Play store. While most people are complaining about “extra crap pre-installed”, it’s an effort to have core components updated without having to wait for other suppliers. While it’s true this doesn’t cover everything, it’s a step forward.
Until a killer flaw, either in the form of a virus or exploit, makes the rounds then the ridiculous state of Android fragmentation will be ignored. When (not if) the big one hits you can bet people will want to know just why they were left vulnerable to exploits, even on new phones, that are known about but not patched out. That day will be frightening for all concerned.
Will we get them?
If we are not on a modern Nexus – No
So, we need a project to allow those of us on non-Nexus Androids to hack-update our devices. Surely not beyond the ability of the Open Source Software community – who must have an interest in us all running modern secure versions of Android?
It’s tough for the open source community.
Firstly, the testing becomes multiplicatively more complex as the number of different builds goes up. Secondly, the coding is a lot of extra work, trying to track down whether bugs are specific to a device, and if so how to fix them. Thirdly, actually buying or acquiring sufficiently many of the older devices for the development teams to code or test for them at all. Fourthly, if you do go with AOSP, you don’t get a whole lot of Android functionality – even the Google Play app is closed-source, proprietary and excluded from the AOSP codebase, so providing and testing ways for you to get those non-free parts of Android and use them reliably on a huge list of rare devices is pretty time-consuming, too.
These guys give a lot of their own time for free, so to support your obscure device they really could do with a donation. But if you donate your device so they can support it, then you won’t need the final build in the end anyway 🙂 So maybe the middle ground is for you to “donate” to yourself (e.g. buy on eBay:-) an Android model that is already well-supported by the open source fans out there, and retire your old one?
I have an older Samsung device that will never, ever get patches (thanks big red!).
I’d like to roll my own mediaserver and libstagefright.so from source, and I’ve been investigating doing so.
The most clear instructions that I’ve found are at cyanogenmod’s wiki for my device. I’d just load cyanogenmod, but (thanks again big red!) my bootloader is locked. I do have root, though, so anything in userland is fair game.
Are there easy alternatives for building AOSP components that are plug-compatible with Samsung binaries?