In practical terms, this means that an attacker can remotely execute
code on a victim’s device by sending them a malicious MP3 or MP4 file.
Back in July, a bug in Android’s media playback system called Stagefright,
which only needed a specially crafted text message to the victim’s
phone in order to remotely execute code, left about a billion devices
vulnerable to hackers.
Although Google
promptly issued a parch for that particular vulnerability, the security
research company that initially found the original bug, Zimperium, has
found two new vulnerabilities in Stagefright, which could enable hackers
to take over an Android device by sending the victim a specially
crafted multimedia file.
“All Android devices without the yet-to-be-released patch contain this latent issue,” said a researcher at Zimperium zLabs, Joshua Drake.
In practical terms,
this means that an attacker can remotely execute code on a victim’s
device by sending them a malicious MP3 or MP4 file. The bad part is that
the victim doesn’t even have to open the file.
"The
vulnerability lies in the processing of metadata within the files, so
merely previewing the song or video would trigger the issue," wrote Zimperium in a blog post.
Google
has acknowledged the issue, but a patch is still not available yet.
Even when Google does release a patch, it could take some time for
Android phone manufacturers to implement it.
The best thing for users to do right now is to avoid downloading or opening multimedia files and links with unknown sources.
No comments:
Post a Comment