Menu
Another serious vulnerability found in Android's media processing service

Another serious vulnerability found in Android's media processing service

Rogue applications could exploit the flaw to gain sensitive permissions

Pixabay
Android

The Android service that processes multimedia files has been the source of several vulnerabilities recently, including a new one that could give rogue applications access to sensitive permissions.

The latest vulnerability in Android's mediaserver component was discovered by security researchers from antivirus firm Trend Micro and stems from a feature called AudioEffect.

The implementation of this feature does not properly check some buffer sizes that are supplied by clients, like media player applications. Therefore it is possible to craft a rogue application without any special permissions that could exploit the flaw to trigger a heap overflow, the Trend Micro researchers said Monday in a blog post.

By exploiting the vulnerability, the rogue application would be able to execute the same actions as the mediaserver component, which includes taking pictures, recording videos, reading MP4 files, and other privacy sensitive functions.

The flaw, which affects Android versions 2.3 to 5.1.1, was reported to Google in June and a fix for it was published to the Android Open Source Project (AOSP) on Aug. 1, according to the researchers.

It is now up to phone manufacturers to incorporate the fix into their code and release firmware updates for affected devices. Even though the distribution of updates in the Android ecosystem has shown some improvements lately, there will likely be many devices that will not be patched because they are no longer supported.

At the beginning of August many device vendors launched a large scale patching effort in response to a separate vulnerability in Android's media processing code. The flaw was revealed last month and could be exploited remotely through an MMS message or a Web page.

In a talk at the Black Hat security conference on Aug. 5, Android's lead security engineer, Adrian Ludwig, referred to the Stagefright patching effort as the "single largest unified software update in the world."

However, security researchers from a firm called Exodus Intelligence reported last week that Google's initial patch for the Stagefright flaw was incomplete. This forced the Android team to create another patch which, according to The Register, Google already distributed to its partners and will deliver to its Nexus and Nexus Player devices in September.

In addition to the Stagefright vulnerability and this latest AudioEffect flaw, researchers from Trend Micro have also recently reported two other vulnerabilities in Android's media server component that could force devices into a reboot loop or cause them to become unresponsive.

Both Joshua Drake, the researcher who found the first Stagefright vulnerability, and the Trend Micro researchers have warned that Android's multimedia processing code is likely to be a source of future vulnerabilities.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments