Maliciously Crafted MKV Video Files Can Be Used To Crash Android Phones

itwbennett writes: Just days after publication of a flaw in Android's Stagefright, which could allow attackers to compromise devices with a simple MMS message, researchers have found another Android media processing flaw. The latest vulnerability is located in Android's mediaserver component, more specifically in how the service handles files that use the Matroska video container (MKV), Trend Micro researchers said. "When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system). The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data."

Closed Ecosystem

[OverlordQ]

And those running custom mods will have this fix this week while those who are locked in to their carriers will be stuck vulnerable for who knows how long.

Re:Closed Ecosystem

[TheGratefulNet]

I can update a proper linux system. apt-get update (etc etc) and I'm good. it could be a 5 yr old linux install, 10 yr even more. it will still get security and major bugfixes.

android? yeah, right. my nexus one (go ahead, laugh at the old guy with the ancient phone) has not had an update for over 3 years now; probably more than that. 2.x distro from cyan and even they stopped doing updates. I have no time in my schedule to learn android internals well enough to do this myself (I could do it for linux, but I have no desire to waste time on phone crap, too many other things to get done). and so, I am running quite old software on a mobile computer and unless I pay for new hardware (my old hw works fine, still) I can't get updates.

this is the main reason why I hate google so much. they totally messed up on the whole android build/deploy/update system. its not linux, its not separatable (gfx and kernel and ip stack all are comingled, like a college-hire might design, sigh) and you can't update just the parts you need. its a whole update or nothing at all. HOW UTTERLY STUPID.

I wish I could get to love apple gear. then again, they EOL their old products, too, and so I'd have to keep rebuying hardware just like android guys are forced to do.

I may just go back to dumb phones again. this is ridiculous. a mobile computer with wireless access, a lot of my personal info on it and yet no update mechanism at all. essentially its abandonware. hundreds of dollars and I have a device that won't ever get updated even though there's not a single good reason for that.

what I can't figure out is: was google stupid or smart when they planned this? I tend to think they were both; stupid due to having too many kids onboard who don't understand the longevity of embedded systems in the real world; and smart since they force people to keep re-re-rebuying things and that must make their hardware partners very happy. they also can ignore older hardware and save time on multiple forks and build trees. but it was all the wrong design for END USERS. we are the ones who get screwed by this.

I cannot ever forgive google. they could have kept linux clean on the phone and allowed users to update ip-stack, kernel, etc. but they put a lot of effort into NOT allowing this and we all pay for it with security problems; and ones that we won't ever be able to fix, either, unless we do the work ourselves (which is not acceptable for an embedded system).