Multiple Vulnerabilities in Google Stagefright Could Allow Remote Code Execution

ITS Advisory Number: 
2015-120
Date(s) Issued: 
Friday, October 2, 2015
Subject: 
Multiple Vulnerabilities in Google Stagefright Could Allow Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Google's Stagefright which could allow an attacker to execute remote code. Stagefright is a media playback library native to the Android OS which processes various media formats. Android is an operating system developed by Google for mobile phones. Successfully exploiting these issues may allow remote attackers to execute remote code on the mobile phone.

 

Systems Affected: 
  • Android version 1.1 through 5.1.1
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Google's Android OS is prone to multiple vulnerabilities which could allow remote code execution. The vulnerabilities are as follows:

  • Google Stagefright 'libutils' may allow for remote code execution via a specially crafted metadata in MP3 or MP4 files (CVE-2015-6602).
  • Google Stagefright 'LMY48M' may allow for remote code execution via a specially crafted metadata in MP3 or MP4 files (CVE-2015-3876).

These vulnerabilities exist in Stagefright, a media playback library which processes various media formats, and affect android devices from Android 1.1 through Android 5.1.1, and could be exploited if a user visits or is redirected to a webpage playing a specially crafted MP3 audio or MP4 video file. Zimperium originally disclosed the vulnerabilities to Google on August 15, 2015, and will disclose them to the public after the vulnerabilities have been resolved. Successfully exploiting these issues may allow remote attackers to execute remote code on the mobile phone.

 

Actions: 
  • Android users should patch the device immediately after receiving the update notification from the device's carrier.
  • Try contacting your device vendor to determine when a patch will be available, and to urge them to patch as soon as possible.
  • If supported by your messaging apps, change the settings to prevent the device from automatically retrieve MMS messages. If your app does not support this functionality, consider switching to a Messaging app that does.
  • Consider changing the default messaging application to one that has been patched and is no longer vulnerable to Stagefright.
  • If your Messaging app supports it, consider blocking messages from unknown senders. 
  • To determine if your device is vulnerable to Stagefright 2.0, consider testing it with Zimperium's 'Stagefreight Detector' after an update is made available.