Trend Micro researchers are now disclosing additional details about one of the vulnerabilities (CVE-2015-3824) in the so-called “Stagefright” cluster affecting Android users.
The “Stagefright” vulnerability is actually a marketing label for a cluster of seven individual vulnerabilities. One of the vulnerabilities in this cluster, CVE-2015-3824, was independently discovered by Trend Micro’s research team at the same time as other security researchers. This is actually a common occurrence in vulnerability research. For instance, we and other researchers found, and were credited for, the vulnerability that Microsoft recently fixed out-of-band with MS15-078.
Like others in the industry, our researcher team found the multimedia message system (MMS) attack vector for this vulnerability. However, they also found two additional vectors that can be used to successfully exploit it. After discussions with Google, we can now disclose what we’ve found.
The first additional attack vector is delivered via malicious video files on a website. This is nearly as dangerous as the MMS attack, since many videos now auto-play, especially on mobile devices. This vulnerability also enables attackers to bypass the disabling of auto-play videos in Chrome. This means an attacker would only need to convince a user to visit a posted video, enabling complete control the device after it’s played.
The second attack is made possible through malicious apps or MP4 files designed to exploit the vulnerability. Once a user downloads and runs it, the attacker would have full control over the device.
The recommendation to disable MMS will NOT protect against these two new attack vectors. However, it is still effective against one of the three attack vectors, and is a good idea generally if that feature is unused.
While there are no known mitigations for web-based video attack vectors, web reputation services like Trend Micro’s Web Reputation Services can help protect against known malicious sites. To help protect against malicious apps or MP4 files, be cautious about downloads. As malicious apps are discovered, mobile security solutions like Trend Micro Mobile Security can provide protection.
The best solution, of course, is to apply updates that fix the vulnerability. Unless you have a Nexus phone, you will get security fixes from your carrier, or the maker of your device.
Unfortunately, many of the 89 percent of Android users at-risk will never be able to fix this vulnerability due to the age of their devices or their carriers and/or handset makers not making fixes available. These users are running “unpatchable Android” and can only fully protect themselves by getting a new device.
You can get more technical details on this at the Security Intelligence blog posting here.
Our research teams are monitoring this situation carefully and we will update you with any new information.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.