Joshua J. Drake from Zimperium zLabs
has reported a number of vulnerabilities in the Stagefright media playback system deployed in Android operating system devices. These vulnerabilities permit remote code execution when a specially crafted multimedia message (MMS) is sent to an Android device which can result in the device being compromised and Trojaned often exposing all data stored on the device. On some devices it appears that the MMS exploit can be executed with no intervention from the user and in some cases can be exploited completely invisible to the user.
It looks like the issue affects all versions of Android 2.2 (Froyo, released 2010) and newer although there is some speculation that exploit mitigation controls in the Android Jelly Bean OS (version 4.1+) and newer may thwart some exploits, but the usefulness of these controls is unclear at this time.. It is also unclear from the information available today if patches are available. Google has released patched code to the smartphone vendors, but it appears most device vendors have not yet released updated firmware to the public at this time.
The CVE's for these vulnerabilities are:
CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829
It should be assumed that almost all Android devices are vulnerable, so please keep an eye out for updated firmware for your device and apply the firmware as soon as available.
Update: Ugo sent a link to a blog post by Greg Bauges which describes some configuration changes which can be made on the Android device which will disable the automatic loading of MMS messages. While these changes do not stop the vulnerability from being exploited it at least makes it so the device user is aware the malicious MMS was received and run.
Update: I have been having discussions about the potential of these vulnerabilities for weaponization into a worm. Bruce Schneier has waded in with a similar idea.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)