Google updated Nexus devices to fix critical security vulnerabilities in the media playback engine in Android, called Stagefright 2.0.
The issues, released by security firm Zimperium, affect libstagefright and libutils, and affect all Android devices, including those running under version 1.0 of the platform, which released seven years ago.
The flaws rate as critical and could result in remote code execution on the affected devices.
Two vulnerabilities in libutils patched in Google’s October 2015 Nexus Security Bulletin, featuring Common Vulnerabilities and Exposures (CVE) identifiers CVE-2015-3875 and CVE-2015-6602. Both flaws exist in audio file processing and affect all devices running Android 5.1 and below.
Zimperium said the issue is in the processing of metadata within the files, which means the vulnerability could end up triggered even if the user simply previews the compromised MP3 audio or MP4 video file. Older devices running Android suffer if the vulnerable function in libutils ends up used via third party apps or pre-loaded vendor or carrier functionality.
To exploit the vulnerability, an attacker would have to push a specially crafted file to the affected device. As soon as the file ends up processed, it would cause memory corruption and remote code execution in a service that uses the libutils library, including mediaserver. Multiple applications use the functionality and remote content can reach it via email, MMS, and browser playback.
Newer Google Hangouts and Messenger applications remove the primary attack vector of MMS, which means an attacker interested in exploiting the vulnerability would need to use the Web browser to execute an attack by convincing a user to visit a URL directing to a malicious Web site.
The issue could end up exploited by an attacker on the same network with the affected device through a Man-in-the-Middle (MiTM) attack. Additionally, 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library can end up exploited.
Google’s new security update for Nexus devices patches 15 vulnerabilities in libstagefright, all of which could suffer exploitation during media file and data processing of a specially crafted file to cause memory corruption and remote code execution. Rated Critical, these vulnerabilities impact all Android 5.1 and below versions.