Menu
Another serious vulnerability found in Android's media processing service

Another serious vulnerability found in Android's media processing service

Rogue applications could exploit the flaw to gain sensitive permissions

Pixabay
Android

The Android service that processes multimedia files has been the source of several vulnerabilities recently, including a new one that could give rogue applications access to sensitive permissions.

The latest vulnerability in Android's mediaserver component was discovered by security researchers from antivirus firm Trend Micro and stems from a feature called AudioEffect.

The implementation of this feature does not properly check some buffer sizes that are supplied by clients, like media player applications. Therefore it is possible to craft a rogue application without any special permissions that could exploit the flaw to trigger a heap overflow, the Trend Micro researchers said Monday in a blog post.

By exploiting the vulnerability, the rogue application would be able to execute the same actions as the mediaserver component, which includes taking pictures, recording videos, reading MP4 files, and other privacy sensitive functions.

The flaw, which affects Android versions 2.3 to 5.1.1, was reported to Google in June and a fix for it was published to the Android Open Source Project (AOSP) on Aug. 1, according to the researchers.

It is now up to phone manufacturers to incorporate the fix into their code and release firmware updates for affected devices. Even though the distribution of updates in the Android ecosystem has shown some improvements lately, there will likely be many devices that will not be patched because they are no longer supported.

At the beginning of August many device vendors launched a large scale patching effort in response to a separate vulnerability in Android's media processing code. The flaw was revealed last month and could be exploited remotely through an MMS message or a Web page.

In a talk at the Black Hat security conference on Aug. 5, Android's lead security engineer, Adrian Ludwig, referred to the Stagefright patching effort as the "single largest unified software update in the world."

However, security researchers from a firm called Exodus Intelligence reported last week that Google's initial patch for the Stagefright flaw was incomplete. This forced the Android team to create another patch which, according to The Register, Google already distributed to its partners and will deliver to its Nexus and Nexus Player devices in September.

In addition to the Stagefright vulnerability and this latest AudioEffect flaw, researchers from Trend Micro have also recently reported two other vulnerabilities in Android's media server component that could force devices into a reboot loop or cause them to become unresponsive.

Both Joshua Drake, the researcher who found the first Stagefright vulnerability, and the Trend Micro researchers have warned that Android's multimedia processing code is likely to be a source of future vulnerabilities.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments