Menu
Another serious vulnerability found in Android's media processing service

Another serious vulnerability found in Android's media processing service

Rogue applications could exploit the flaw to gain sensitive permissions

Pixabay
Android

The Android service that processes multimedia files has been the source of several vulnerabilities recently, including a new one that could give rogue applications access to sensitive permissions.

The latest vulnerability in Android's mediaserver component was discovered by security researchers from antivirus firm Trend Micro and stems from a feature called AudioEffect.

The implementation of this feature does not properly check some buffer sizes that are supplied by clients, like media player applications. Therefore it is possible to craft a rogue application without any special permissions that could exploit the flaw to trigger a heap overflow, the Trend Micro researchers said Monday in a blog post.

By exploiting the vulnerability, the rogue application would be able to execute the same actions as the mediaserver component, which includes taking pictures, recording videos, reading MP4 files, and other privacy sensitive functions.

The flaw, which affects Android versions 2.3 to 5.1.1, was reported to Google in June and a fix for it was published to the Android Open Source Project (AOSP) on Aug. 1, according to the researchers.

It is now up to phone manufacturers to incorporate the fix into their code and release firmware updates for affected devices. Even though the distribution of updates in the Android ecosystem has shown some improvements lately, there will likely be many devices that will not be patched because they are no longer supported.

At the beginning of August many device vendors launched a large scale patching effort in response to a separate vulnerability in Android's media processing code. The flaw was revealed last month and could be exploited remotely through an MMS message or a Web page.

In a talk at the Black Hat security conference on Aug. 5, Android's lead security engineer, Adrian Ludwig, referred to the Stagefright patching effort as the "single largest unified software update in the world."

However, security researchers from a firm called Exodus Intelligence reported last week that Google's initial patch for the Stagefright flaw was incomplete. This forced the Android team to create another patch which, according to The Register, Google already distributed to its partners and will deliver to its Nexus and Nexus Player devices in September.

In addition to the Stagefright vulnerability and this latest AudioEffect flaw, researchers from Trend Micro have also recently reported two other vulnerabilities in Android's media server component that could force devices into a reboot loop or cause them to become unresponsive.

Both Joshua Drake, the researcher who found the first Stagefright vulnerability, and the Trend Micro researchers have warned that Android's multimedia processing code is likely to be a source of future vulnerabilities.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments