Earlier in the year, Android had one of the most significant security scares since Apple’s systems were compromised and many hundreds of individuals had their Apple iCloud photographs copied and distributed across the Internet. I am writing about the Stagefright critical security vulnerability, whereby a hacker could inject a malicious piece of code deep into an Android device via an embedded video sent to the device via a multimedia message. In theory, an attacked could take control of the target device and silently install third party applications and embed more malware deep into the device. The Stagefright critical vulnerability was patched by Google, who also released the code into the world at large. Around and about the same time, Google also announced that it would be issuing monthly security patch code update to supported versions of Android. We’ve seen Android 6.0 Marshmallow including a simple date field in the Settings, About Device menu that shows users the date of their particular device’s security patch, which in turn means that it is significantly easier for customers to know how current their device software is.
We are now almost a week into December and Google have released the December 2015 Security Bulletin, which goes into detail over the current update and the security vulnerabilities that have been addressed in this particular release. Google stated that software partners were provided with updates for the December update back on the 2nd of November. The Android Open Source Project will be updated by Wednesday and firmware images containing the patches are available now via the Google Developers website. Once installed, devices will show the 1 December 2015 date in the Settings, About Device menu.
As far as what Google have addressed in this issue, there are a total of sixteen “Common Vulnerability and Exposures” that have been identified and resolved with this update. Google’s security bulletin reports that there are no reports of any active exploits through these vulnerabilities, which were discovered by eleven individuals. Four of these individuals work for the Google Chrome Security Team (also known as Project Zero). Most of the security issues concern the mediaserver code including privilege elevation within the Stagefright library and there are more details available at the source, linked below.
What is perhaps interesting is that BlackBerry have already pushed the updated code to the BlackBerry Priv, which is still running Android 5.1.1. That BlackBerry have rolled the update might be viewed by a cynic as easy for them as they have just one Android device, but let’s make something clear: this is BlackBerry’s first Android device and security is at the very foundation of the device. We can only hope that the changes Google have made to devices, and the example of BlackBerry pushing updates, will encourage other manufacturers to do the same thing and get their own software updated. Nevertheless, it is going to be a long, hard slog to get manufacturers to release critical security updates in a timely fashion.