vulnerabilities recently discovered in the way Android processed File can allow attackers to compromise devices for tricking users visiting Web maliciously crafted.
The weaknesses can lead to the execution of a Remote code almost all devices that use Android, from the first to the latest version of operating system , according to researchers at mobile security company Zimperium .
defects are on the way Android processes the metadata of MP3 audio and MP4 video files, and occur when the Android system or other applications that use the libraries Media Android display a preview of these files.
research of Zimperium found similar multimedia processing failures, earlier this year, in a library Android called Stagefright , same that could have been used even by simply sending a message multimedia (MMS) to Android devices maliciously.
These defects caused a coordinated effort to create security patches by manufacturers Devices effort, something that Adrian Ludwig, Chief Engineer Security Android, has called “the largest and most unified update software worldwide”.
This vulnerability also caused Google , Samsung and LG to commit to updates monthly security from now on.
One of the newly discovered defects found in Android core library called ‘libutils’ and affects almost all devices running Android versions prior to 5.0 (Lollipop). The vulnerability can be exploited in Android Lollipop (5.0 – 5.1.1) by combining with another error found in the library Stagefright
The researchers Zimperium refer to the new . attack as Stagefright 2.0 and believe that affects more than one billion devices.
Since the vector prior attack MMS closed in newer versions of Google Hangouts and other messaging applications, the most direct method of operation is the latest vulnerabilities through browser Web, Zimperium researchers said.
The attackers could mislead users to visit websites that trigger failure through links Email and IM or through malicious ads that appear on sites legitimate website.
The attackers who are in a position to intercept connections Internet of users, for example, or open wireless networks through committed routers, they could inject the fault directly into your Web traffic unencrypted.
Media Players third or instant messaging applications that Android library are used to read metadata for MP3 and MP4 files could also be used as a means of attack, the researchers said.
Zimperium reported failures to Google on August 15. The solution will arrive on October 5, as part of the new monthly update security of Android, said a representative of the company.
The above defects led researchers Stagefright to be tested in libraries Processing Android multimedia for additional vulnerabilities. Researchers provider antivirus Trend Micro have already found and reported several problems with these components.
“As more and more researchers have explored several vulnerabilities that exist within the library Stagefright and associated libraries, expect to see more failures in the same area, “Zimperium said in its report. “Many researchers in the community have said that Google responded to the errors reported saying they were duplicates or who had already discovered internally”.
Zimperium plan to upgrade your application Free ‘ Detector Stagefright ‘with the detection of defects once patches are available.
No comments:
Post a Comment