April Android Security Bulletin Addresses Critical H.264 and H.265 Decoder Vulnerabilities
In April’s Android Security Bulletin, we discovered and privately disclosed seven vulnerabilities—three of which were rated as Critical, one as High, and another three as Moderate. As with the previous bulletins, Google urges owners of devices that are directly updated by Google to apply the over-the-air (OTA) update released to address these vulnerabilities. Non-native Android device users can check with their service providers or device manufacturers for the availability of the April updates.
Of the ones rated Critical, one—CVE-2017-0538—is a remnant from the H.264 decoder vulnerabilities that were reported during last month’s bulletin, specifically the ones that could be exploited by specially crafted H.264 files to cause memory corruption. These vulnerabilities can also potentially give attackers the ability to perform remote code executions using Mediaserver processes. In addition to the H.264 decoder-based vulnerabilities, the update also addresses the first batch of H.265 decoder vulnerabilities –notably CVE-2017-0540 and CVE-2017-0539—that exploits H.265 files instead of the H.264 files used by the other previous vulnerabilities. These critical vulnerabilities, all of which involve buffer range error handling, are notable for having multiple overflow positions that perpetrators can exploit. CVE-2017-0538, in particular, has five different Proof-of Concepts (PoCs) that overflow different buffers, thereby increasing the possibility of attacks.
We also disclosed CVE-2017-0578, a High priority elevation of privilege vulnerability in the DTS sound driver. Attackers who exploit this specific vulnerability would be able to use a local malicious application to execute arbitrary code within the context of a kernel. The vulnerability requires compromising a privileged process, thus the High priority label.
CVE-2017-0555, CVE-2017-0556, and CVE-2017-0557 round out our disclosed vulnerabilities for April. The three Moderate severity vulnerabilities in Android’s Mediaserver component could potentially allow attackers access to information outside their permission levels via a malicious application.
For CVE-2017-0555, Google labeled another critical RCE issue that is duplicated with this vulnerability. According to our information, this issue can be triggered in different codes with four different PoCs, which include three information leaks and one code execution. We consider it a critical issue and have asked Google to reassess its severity.
Best Practices and Trend Micro Solutions
As always, users should be cautious about the websites they visit. Suspicious-looking websites—especially ones that stream videos and other media—should be avoided if the legitimacy of these websites cannot be confirmed. Some of these vulnerabilities are also exploited by malicious applications, thus the same caution should also be used for downloaded applications and programs.
End users can protect their mobile devices by downloading Trend Micro Mobile Security (TMMS), which can detect threats that could be used to exploit vulnerabilities.
Trend Micro disclosed the following vulnerabilities: CVE-2017-0538, CVE-2017-0539, CVE-2017-0540, CVE-2017-0555, CVE-2017-0556, CVE-2017-0557, CVE-2017-0578