Android ecosystem just dodged another vulnerability kind of Stagefright. From the monthly Android Security by Google which was released, Tuesday did not just patch up the Quadrooter vulnerabilities; it also took care of a loophole that gives room to attackers to brick or compromise Android devices. This dates back to version 4.2.
Google carried out a patch Quadrooter vulnerability on September 6, 2016, on it Android as well as on Chrome 53 and carried out 32 other Bugs on September 1st of the same month. Wednesday’s complete overhauling of offending jhead library was a strategy taken to wade off another Stagefright. This could have resulted in recurring critical bugs, which has been a major issue for Mediaserver that has been occurring monthly.
According to SentinelOne director of mobile research, Tim Strazzere, the vulnerability (CVE-2016-3862) calls for a specially crafted jpeg file to solve the issue. He said his brand, Nexus 6P device, was able to crash and reboot. He is of the opinion that this method can be used in to tackle advanced attacks on Android device.
This will be very effective on older versions of Android. Strazzere said also added: “This bug I found specifically is in a library that tries to read Exif data out of jpegs. Any app using that library is affected by this.” Exif is used as a standard for defining formats for metadata contained in images that are recorded by digital cameras. He tested his concept on Gchat and Gmail indicating that user interaction was needed to trigger the bug, save for applications that call for jhead parsed images data contained in jpeg files. Strazzere said other web-based applications could be affected as well.
He said: “I tested it with Gchat and Gmail, and if I send you a file, because the phone syncs and gets the email that triggers the bug. You don’t have to click on the image or touch the attachment. Just open email, and that would trigger the bug. To an advanced attacker, this was relatively easy to find and in their wheelhouse to exploit. You would have access to anything that app had access to, or leverage another exploit to get system privileges or root.”
The use of jhead library is mainly for obtaining and making use of data contained in Exif header in jpeg images. Such data include timestamp information, thumbnails and camera data. Mediaserver is what Android uses in to talk to the jhead library. According to Google, it is a critical vulnerability due to its potential for remote code execution. In addressing the issue, Google removed its support for jhead library.
Strazzere said: “Google did a great job with its response and the way it’s fixing this by removing all the C code. The library is now gone, and they’re rewriting it in Java.” He said the chances of reoccurring vulnerabilities and bugs have reduced as a result of the safer language used. He said the bugs to come will not be so severe.
Strazzere was awarded $4, 000 bounty by Google’s Android Rewards program which they doubled since Strazzere and SentinelOne donated it to Girls Garage in the Bay Area, which is a skills-building program for young girls who are between the ages of 9-13.