Two serious Android flaws found and patched

Google says one of the bugs was left for research purposes and can't really do much damage.

Two serious vulnerabilities were discovered recently on Android-powered smartphones, ones which are similar to the dreaded Stagefright in terms of severity.  The media are reporting on two separate incidents, one discovered by a Google researcher, and another by security organisation Checkpoint. The first one, discovered by Mark Brand from Google's Project Zero, is dubbed CVE 2016-3861, and allows malicious actors to execute local privileges. He says it's an 'extremely serious bug'. 

"The provided exploit performs this on several recent Android versions for the Nexus 5x and is both reliable and fast in my testing," he wrote in a blog. "It would also be possible to make the exploit faster by directly generating the exploit files in javascript, reducing the unnecessary network round-trips [spent] retrieving identical mp4 files." 

Google, on the other hand, says the exploit was only for research purposes and that it works on only a handful of Nexus devices and"could not be used in real world attacks without substantial modification and even further research."   

The second vulnerability, discovered by Checkpoint, is dubbed CVE-2016-3862 and allows attackers to execute malicious code without the victim actually needing to press anything. It works by embedding exif data into an image. 

"To an advanced attacker, this was relatively easy to find and in their wheelhouse to exploit," Tim Strazzere, director of mobile research at SentinelOne and the researcher who reported the bug to Google, told Threatpost. "You would have access to anything that app had access to or leverage another exploit to get system privileges or root."

Both vulnerabilities have already been patched, although some Android users will need to wait before the update reaches them.

Image Credit: CyberHades / Flickr