Exploitation of the Stagefright 2.0 bug has been made a little bit more difficult, Google pushing fixes for this Android vulnerability, all as part of its monthly security bulletin.
Stagefright 2.0, the vulnerability discovered by Zimperium last August and disclosed to the public last week, affects practically every Android device sold since 2008.
Stagefright 2.0 can be exploited by attackers via malformed MP3 and MP4 files, and can crash Android devices via mobile Web browsers and IM applications, giving control to the attackers, just like in the fist instance of Stagefright that worked via MMS messages.
The two vulnerabilities that form Stagefright 2.0 (CVE-2015-3876 and CVE-2015-6602) have now been officially fixed by Google, as the company announced yesterday via its Nexus Security Bulletin for October 2105.
While these security patches will automatically be pushed to all Google Nexus devices, it is up to the other mobile carriers to also push them to their clients.
None of these vulnerabilities was used in the wild
Unlike the first batch of security updates, which included patches for vulnerabilities used in the wild by attackers, none of the fixed issues in yesterday's security bulletin has been used in live attacks, as Google claims. These are all the fixed issues:
Issue | CVE | Severity |
---|---|---|
Remote Code Execution Vulnerabilities in libstagefright | CVE-2015-3873, CVE-2015-3872, CVE-2015-3871, CVE-2015-3868, CVE-2015-3867, CVE-2015-3869, CVE-2015-3870, CVE-2015-3823, CVE-2015-6598, CVE-2015-6599, CVE-2015-6600, CVE-2015-3870, CVE-2015-6601, CVE-2015-3876, CVE-2015-6604 | Critical |
Remote Code Execution Vulnerabilities in Sonivox | CVE-2015-3874 | Critical |
Remote Code Execution Vulnerabilities in libutils | CVE-2015-3875, CVE-2015-6602 | Critical |
Remote Code Execution Vulnerability in Skia | CVE-2015-3877 | Critical |
Remote Code Execution Vulnerability in libFLAC | CVE-2014-9082 | Critical |
Elevation of Privilege Vulnerability in KeyStore | CVE-2015-3863 | High |
Elevation of Privilege Vulnerability in Media Player Framework | CVE-2015-3879 | High |
Elevation of Privilege Vulnerability in Android Runtime | CVE-2015-6596 | High |
Elevation of Privilege Vulnerabilities in Mediaserver | CVE-2015-6596 | High |
Elevation of Privilege Vulnerability in Secure Element Evaluation Kit | CVE-2015-6606 | High |
Elevation of Privilege Vulnerability in Media Projection | CVE-2015-3878 | Moderate |
Elevation of Privilege Vulnerability in Bluetooth | CVE-2015-3847 | Moderate |
Elevation of Privilege Vulnerabilities in SQLite | CVE-2015-6607 | Moderate |
Denial of Service Vulnerabilities in Mediaserver | CVE-2015-6605, CVE-2015-3862 | Low |