Quite a biggy this week. According to researchers from Zimperium, which is a provider of IPS and security stuff for mobile devices, not a rare metal or intergalactic force, there are a number of bugs in the media library of all Android devices on Planet Earth which enable attackers to have their evil way by just sending a Multimedia Messaging Service (MMS) message.
That’s right, just sending the target an MMS can compromise the phone. EEEK. You can even compromise the phone and delete the message while the user sleeps or isn’t looking at his or her device, as if that would ever happen.
Apparently the problem is because media processing, being CPU intensive, is implemented in native C++ code that can be somewhat more aggressive with device memory than more memory restrictive languages such as Java. We are taking that explanation with a big pinch of salt.
Anyhow it looks like this may be a really big problem. It has the following CVEs, which are in RESERVED status at the moment and contain no detail, and will not until the Zimperium zLabs VP of Platform Research and Exploitation, Joshua J. Drake (@jduck), (see what he did there Drake – Duck haha) presents his findings at BlackHat and DefCon23 (05/08/15 and 07/08/15 respectively):
- CVE-2015-1538
- CVE-2015-1539
- CVE-2015-3824
- CVE-2015-3826
- CVE-2015-3827
- CVE-2015-3828
- CVE-2015-3829
Not just the seven reserved CVEs, but it has it’s own logo (see above) and a catchy name, so it must be credible. The CERT Advisory can be found here http://www.kb.cert.org/vuls/id/924951 and the Zimperium edict can be found here: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/
We await the detail anxiously.
So, the Z people have informed Google and have supplied patches to the open source code, which is nice of them and Google are remediating furiously but this will be a lengthy process.
What can we do about this lurking horror we hear you cry? Well as luck would have it, there is a company out there that offers protection; Can you guess who it is? Look no further than our alien friends Zimperium! What a happy coincidence.
If you don’t have the time or inclination to deploy a new security suite across your Android estate, or even on your own Rap Rod (™ Douglas Adams RIP) you should turn off MMS auto retrieval in your messaging application, which is possible in many, but not all of them. If the texting app doesn’t support this feature, probably best disable the application for now. This may or may not be possible using your MDM package.
If you would like some advice on how to deal with this issue, which is probably the most serious mobile vulnerability ever, please contact us on: [email protected] or 02075173900
