Short Bytes: Google has fixed a critical vulnerability in its September security patch level. The vulnerability exists in the way the Exif data of an image is parsed by some Android apps. The vulnerability could allow an attacker to brick the device or do remote code execution without the knowledge of the user.
Strazzere was awarded a bounty for reporting the “Remote code execution vulnerability in Mediaserver”. Google gave $8000 (including Strazzere’s $4000 bounty) to GirlsGarage. It is a building program and dedicated workspace for girls between 9 and 13.
The vulnerability, which is flagged critical by Google, allows an attacker to take control of an Android device using an image. It doesn’t require that image should be put as a bait in front of the user. Instead, a modified image that gets loaded in affected apps like Gmail can allow the attacker brick the device or perform remote code execution.
The exploit lies in the way some Android apps parse the Exif data of an image using the ExifInterface object. The user wouldn’t know their device has been compromised. Strazzere said that triggering the bug could be as simple as receiving an email or message. “Once that application attempts to parse the image (which was done automatically), the crash is triggered.”
“Theoretically, someone could create a generic exploit inside an image to exploits lots of devices. However, due to my skill level, I had to specifically craft each one for the devices. Though once this is done, Gchat, Gmail, most other messengers or social media apps would likely allow this to trigger.” – Strazzere told Forbes.
The security patch update will be pushed to devices running Android 4.4.4 KitKat and higher. The researcher went back to Android 4.2 to see if the exploit works and it did. These older devices may not be patched. If you’re the one using the ancient android version, it is the time to put some cash out of your pockets.
An OTA update for all supported Nexus devices has been pushed on September 6, 2016. For non-nexus devices, a soon to be released update would be in the works.
If you have something to add, tell us in the comments below.
Also Read: 27-year-old Programmer Arrested For Hacking Linux Kernel Website