Allowing staff to use their own devices is a challenge for CISOs as some operating systems aren’t as locked down or updated by vendors as often as others.
Android is one of them, and Monday brought news another headache involving the mobile OS: Mobile solutions provider Zimperium said it has discovered “scary” vulnerabilities in Android code back to version 2.2, details of which will be presented at next week’s Black Hat conference.
Google has already issued patches to its code base, which goes to device manufacturers. But most users have to get updates through their wireless carriers so it may be some time if the fixes are disbursed. Some carriers don’t update older versions of Android at all. Mozilla’s Firefox, which is also affected, has included fixes for these issues since version 38.
However, SC Online was told by a Zimperium official and a vendor that despite the severity of the bugs, the vulnerabilities are difficult to exploit.
“If ‘Heartbleed’ from the PC era sends chill down your spine, this is much worse.” says the company’s blog.
“Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”
Dubbed by the company Stagefright, Zimperium said in a blog it believes the vulnerabilities to be the worst in Android discovered to date that could expose 95 per cent of the hundreds of millions Android devices being used. Versions of Android before 4.1 (Jelly Bean) are thought to be the most vulnerable.
The vulnerabilities have been assigned codes CVE-2015-1538, -1539, -3824, -3826, -3827, -3828 and CVE-2015-3829.
Briefly, the flaws are in a media library that processes several popular media formats Zimperium said. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java.