Android Stagefright Media Library Remote Code Execution Vulnerabilities
Last Update Date:
29 Jul 2015 11:09
Release Date:
29 Jul 2015
6563
Views
RISK: Extremely High Risk
TYPE: Operating Systems - Mobile & Apps
Multiple vulnerabilities have been identified in Android Stagefright Media Library. By sending crafted MMS or media files to target system, remote attackers can exploit the vulnerabilities by to execute arbitrary code on the target system.
Note:
- Proof of concept or exploit code may be available in BlackHat USA on 2015-08-05.
- Vendor patch is currently unavailable. However, workaround is provided.
Impact
- Remote Code Execution
System / Technologies affected
- Android version 2.2.x to 5.1.x
Solutions
- Note on vendor patch:
- It was reported that Google has already provided patches to the vulnerabilities. But due to the arrangement of different device manufactuers, the update may not be pushed to their products via OTA immediately. So HKCERT regard there is no vendor patch available at this stage.
- Please also note that some device manufactuers may not push any updates to older device models. Please contact your vendor for details.
- Workaround:
- Turn off "Auto Retrieve" for multimedia messages (MMS) under "Settings", go to "SMS"/"Multimedia message".
Note: For this workaround, you may find more information for your device model in the following webpage:
https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html
- Block all text messages from unknown senders. Usually, you can enable such option under "Settings".
- Do not open MMS sent by unknown parties.
- Remove all MMS related settings under Access Point Name (APN).
- Turn off "Auto Retrieve" for multimedia messages (MMS) under "Settings", go to "SMS"/"Multimedia message".
Vulnerability Identifier
Source
Related Link
- http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/
- http://www.zdnet.com/article/stagefright-just-how-scary-is-it-for-android-users/#ftag=RSSbaffb68
- http://www.kb.cert.org/vuls/id/924951
- https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html
Share with