Google Fixes Rooting Vulnerabilities In Android

itwbennett writes: Google released over-the-air firmware updates for its Nexus devices Monday and will publish the patches to the Android Open Source Project (AOSP) repository by Wednesday, fixing a new batch of vulnerabilities in Android that could allow hackers to take over devices remotely or through malicious applications. The new patches address six critical, two high and five moderate vulnerabilities. The most serious flaw is located in the mediaserver Android component, a core part of the operating system that handles media playback and corresponding file metadata parsing.

Ask Slashdot :

[invictusvoyd]

A friend of mine uses an android phone offline. He never connects to the internet and never receives any MMS . He only uses inbuilt apps and text and calling . What is the kind of risk he is exposed to ?

P.S. he is not interested in android updates and is only using an android phone because Nokia went bust.

Re:Ask Slashdot :

[110010001000]

A lot. Since he is using text messaging, he can receive a MMS. This MMS can do anything to your phone because of the bugs. You don't even need to open the MMS. You cant prevent getting a MMS if you have text messaging enabled. Also, Google logs everything you do on your phone, so that is a risk as well. Personally I would avoid smart phones entirely if you are worried about security or privacy. Since he never connects to the Internet and never does MMS a simple flip phone will do for him.

Re:Ask Slashdot :

[minus9]

You can disable the auto retrieval of MMS though.

Re:Ask Slashdot :

[idontgno]

I don't think you were reading who you were responding to, or read but discounted it.

PP (Parent Poster) indicates that the hypothetical user isn't connecting to the internet. MMS requires internet connectivity to deliver its "more advanced than SMS" payload. From Wikipedia:

Technical description

MMS messages are delivered in a totally different way from SMS. The first step is for the sending device to encode the multimedia content in a fashion similar to sending a MIME message (MIME content formats are defined in the MMS Message Encapsulation specification). The message is then forwarded to the carrier's MMS store and forward server, known as the MMSC (Multimedia Messaging Service Centre). If the receiver is on a carrier different from the sender, then the MMSC acts as a relay, and forwards the message to the MMSC of the recipient's carrier using the Internet.

Once the recipient's MMSC has received a message, it first determines whether the receiver's handset is "MMS capable", that it supports the standards for receiving MMS. If so, the content is extracted and sent to a temporary storage server with an HTTP front-end. An SMS "control message"(ping) containing the URL of the content is then sent to the recipient's handset to trigger the receiver's WAP browser to open and receive the content from the embedded URL. Several other messages are exchanged to indicate status of the delivery attempt. Before delivering content, some MMSCs also include a conversion service that will attempt to modify the multimedia content into a format suitable for the receiver. This is known as "content adaptation".

The bolded portion of the last paragraph makes it clear: accessing the multimedia content requires HTTP connectivity via some TCP/IP network, which PP is disallowing in his hypothetical. I think you're describing the Stagefright vulnerability, and it's true that if you allow a vulnerable Android device to access malware MMS multimedia content, the malware will exploit the weaknesses of the Stagefright APIs and pwn the phone. However, most SMS/MMS programs can be configured to not automatically download multimedia content (but rather requiring user action to start the download). This changes Stagefright MMS from a "drive-by" vulnerability to a slightly less risky "requires user consent" one.

Re:Android security? lol!

[LichtSpektren]

You're right for the crappo sub-$100 phones, but flagships and Nexus devices do get the security updates.

Re:Android security? lol!

[minus9]

"No one will get these fixes."

Not even the people who are mentioned in the article you're replying to? The ones with Nexus devices that the fixes were pushed out to on Monday?

Re:Sweet

[LichtSpektren]

That means end users will be able to use these to root their devices for the next 12-18 months since the patches won't be applied by most OEM's before then. On the downside it means you can be spearfished through an MMS.

Perhaps I'm misreading your post, but you seem very confused. Unlike jailbreaking iPhones, where one has to find some tiny privilege escalation vulnerability before Apple does and then abuse it to flash a custom ROM, Android is designed to allow rooting fairly easily. In fact, Google themselves provide a page that gives layman instructions to how to unlock the bootloader and flash the stock ROM for their Nexus devices (https://developers.google.com/android/nexus/images); that includes all the latest security updates, so rooting is unnecessary, but doing so from there is trivial. It's a little bit more complicated than that if one has a non-Nexus devices, but not prohibitively so.

Re:mmm

[Teun]

The article is about Nexus devices, they are supported for many years.

Re:Android security? lol!

[houghi]

My phone makes calls that cost money, so I DO need security.I would not want it to make calls that cost money (or send messages) without my knowledge.

And even if that were not the case, I do not like people being able to snoop around on it. Just because I do not have anything to hide does not mean I do not vallue my privacy.