Another serious vulnerability found in Android's media processing service

Rogue applications could exploit the flaw to gain sensitive permissions

Pixabay
Android

The Android service that processes multimedia files has been the source of several vulnerabilities recently, including a new one that could give rogue applications access to sensitive permissions.

The latest vulnerability in Android's mediaserver component was discovered by security researchers from antivirus firm Trend Micro and stems from a feature called AudioEffect.

The implementation of this feature does not properly check some buffer sizes that are supplied by clients, like media player applications. Therefore it is possible to craft a rogue application without any special permissions that could exploit the flaw to trigger a heap overflow, the Trend Micro researchers said Monday in a blog post.

By exploiting the vulnerability, the rogue application would be able to execute the same actions as the mediaserver component, which includes taking pictures, recording videos, reading MP4 files, and other privacy sensitive functions.

The flaw, which affects Android versions 2.3 to 5.1.1, was reported to Google in June and a fix for it was published to the Android Open Source Project (AOSP) on Aug. 1, according to the researchers.

It is now up to phone manufacturers to incorporate the fix into their code and release firmware updates for affected devices. Even though the distribution of updates in the Android ecosystem has shown some improvements lately, there will likely be many devices that will not be patched because they are no longer supported.

At the beginning of August many device vendors launched a large scale patching effort in response to a separate vulnerability in Android's media processing code. The flaw was revealed last month and could be exploited remotely through an MMS message or a Web page.

In a talk at the Black Hat security conference on Aug. 5, Android's lead security engineer, Adrian Ludwig, referred to the Stagefright patching effort as the "single largest unified software update in the world."

However, security researchers from a firm called Exodus Intelligence reported last week that Google's initial patch for the Stagefright flaw was incomplete. This forced the Android team to create another patch which, according to The Register, Google already distributed to its partners and will deliver to its Nexus and Nexus Player devices in September.

In addition to the Stagefright vulnerability and this latest AudioEffect flaw, researchers from Trend Micro have also recently reported two other vulnerabilities in Android's media server component that could force devices into a reboot loop or cause them to become unresponsive.

Both Joshua Drake, the researcher who found the first Stagefright vulnerability, and the Trend Micro researchers have warned that Android's multimedia processing code is likely to be a source of future vulnerabilities.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?