Maliciously Crafted MKV Video Files Can Be Used To Crash Android Phones 92
itwbennett writes: Just days after publication of a flaw in Android's Stagefright, which could allow attackers to compromise devices with a simple MMS message, researchers have found another Android media processing flaw. The latest vulnerability is located in Android's mediaserver component, more specifically in how the service handles files that use the Matroska video container (MKV), Trend Micro researchers said. "When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system). The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data."
Attack vector? (Score:1)
Re: (Score:2)
Possibly. Any time you have a buffer overflow, there's a possibility that you can write to the stack and execute arbitrary code.
Re: (Score:1)
The only logical thing to do with such power is use it to rape, murder, pillage, and burn... Anything else would be less civilized. Done in the wrong order, however, is not civilized at all.
Closed Ecosystem (Score:5, Interesting)
And those running custom mods will have this fix this week while those who are locked in to their carriers will be stuck vulnerable for who knows how long.
Re: (Score:2)
Or you could use an iPhone, which doesn't even support MKV.
Re: (Score:2)
Or you could use an iPhone, which doesn't even support MKV.
I'm going back to my old Samsung, which doesn't even play videos, and is barely capable of displaying image files.
Re: (Score:2)
Re: Closed Ecosystem (Score:1)
Re: (Score:2)
PS: I just checked the stone tablets that the original Owner's Manual came on, and there's nothing mentioned about vulnerabilities there.
Re: (Score:2)
Wasn't it vulnerable to brute force password attacks?
Re: (Score:2)
Out of the box, no. But there are plenty of apps to solve that problem.
Re: Closed Ecosystem (Score:2)
Not natively anyway. My preferred app for playing media on my iPad, including mkv files, is nplayer. Not free, but worth every penny. I'm assuming it works on an iPhone, my personal phone is an android and I'm not paying to put nplayer on the iPhone my employer makes me carry.
Re: (Score:2)
Re:Closed Ecosystem (Score:5, Interesting)
I can update a proper linux system. apt-get update (etc etc) and I'm good. it could be a 5 yr old linux install, 10 yr even more. it will still get security and major bugfixes.
android? yeah, right. my nexus one (go ahead, laugh at the old guy with the ancient phone) has not had an update for over 3 years now; probably more than that. 2.x distro from cyan and even they stopped doing updates. I have no time in my schedule to learn android internals well enough to do this myself (I could do it for linux, but I have no desire to waste time on phone crap, too many other things to get done). and so, I am running quite old software on a mobile computer and unless I pay for new hardware (my old hw works fine, still) I can't get updates.
this is the main reason why I hate google so much. they totally messed up on the whole android build/deploy/update system. its not linux, its not separatable (gfx and kernel and ip stack all are comingled, like a college-hire might design, sigh) and you can't update just the parts you need. its a whole update or nothing at all. HOW UTTERLY STUPID.
I wish I could get to love apple gear. then again, they EOL their old products, too, and so I'd have to keep rebuying hardware just like android guys are forced to do.
I may just go back to dumb phones again. this is ridiculous. a mobile computer with wireless access, a lot of my personal info on it and yet no update mechanism at all. essentially its abandonware. hundreds of dollars and I have a device that won't ever get updated even though there's not a single good reason for that.
what I can't figure out is: was google stupid or smart when they planned this? I tend to think they were both; stupid due to having too many kids onboard who don't understand the longevity of embedded systems in the real world; and smart since they force people to keep re-re-rebuying things and that must make their hardware partners very happy. they also can ignore older hardware and save time on multiple forks and build trees. but it was all the wrong design for END USERS. we are the ones who get screwed by this.
I cannot ever forgive google. they could have kept linux clean on the phone and allowed users to update ip-stack, kernel, etc. but they put a lot of effort into NOT allowing this and we all pay for it with security problems; and ones that we won't ever be able to fix, either, unless we do the work ourselves (which is not acceptable for an embedded system).
Re: (Score:1)
its a whole update or nothing at all.
Never attribute to stupidity that which is adequately explained by greed.
Re: (Score:2)
You need to head to xda-developers.com and learn how to installa ROM. It is not complicated. The process is as simple as copying a zip file to your phone, rebooting the phone, and picking the zip file. Done.
Re: (Score:2)
Re: (Score:1)
"Install a rom"?
I used to do shit like that on 8 bit microcontrollers. If it's just one .so to change why the hell can't I just do, as the GP said, "apt-get update; apt-get dist-upgrade"?
Works on my N900, worked on my N9, works on my Jolla.
Android is primitive.
Re: (Score:2)
You're not listening to me. This has nothing to do with Android. It has to do with the ROM on your phone that came from the phone maker. You need to swap out your ROM for one that is more open, and that allows root access so that you can do these kinds of updates. My Cyanogen ROM can pull updates on a nightly basis if I so choose.
Re: (Score:1)
Ok, sorry, your answer was not clear to me. I thought you were saying the way to replace one package was to replace the whole rom, you meant to say that after replacing the whole rom you could do updates that just replace one package.
Re: (Score:2)
I think Google were just rushing to get a competitor out before Apple took over the mobile market and they lost all their ad revenue there.
Now, they look set to lose the market to Windows--which is something I never thought I'd say--if they don't find a way to push security fixes to phones without having to go through the manufacturer and carrier.
Re: (Score:2)
From what I understand, a significant chunk of the problem with mobile device "longevity" is that closed source drivers for the SoC's used in phones are typically provided by chipset vendors, and if the driver model used by the O/S ever changes then the SoC vendor needs to provide a newer set of drivers. Which they aren't going to do when they are no longer selling the chipsets.
Re: (Score:2)
From what I understand, a significant chunk of the problem with mobile device "longevity" is that closed source drivers for the SoC's used in phones are typically provided by chipset vendors, and if the driver model used by the O/S ever changes then the SoC vendor needs to provide a newer set of drivers.
That's mostly it, the problem is that the Linux kernel binary interface is unstable so binary drivers that work in one version may not work in the next version and would often need to be modified and rebuilt against the newer kernel then distributed.
Re: (Score:1)
But none of these recent problems need a kernel upgrade -- the userland/kernel interface is stable, there is nothing stopping Google & pals from just releasing a package with the new .so file.
Except that their package management is primitive to nonexistent.
Re: (Score:2)
No, the issue is that it's open source and carriers customise the components. Android had a working online update infrastructure since day one, actually since before Apple did. But that's no use when the first thing OEMs do is repoint those mechanisms at their own servers and make huge changes to the code.
The comparisons with Linux are especially strange. Guess what? Upstreams who develop software for Linux and see it get repackaged by distributors are in exactly the same boat as Google. They see their soft
Re: (Score:2)
Re: (Score:2)
I too would like better standardization on the hardware, but it doesn't seem as though the device manufacturers are willing to go for that. Everyone wants their own non-standard custom sparkly feature, to make their junky phone stand out from everyone else's. I'm not sure Google deserves all or even the majority o
Re: (Score:3)
The hardware in your phone is pretty slow compared to anything in the last few years.
The 1GHz single core Snapdragon CPU is slower per MHz than a standard Cortex A9
It's only got 512MB of RAM
It was a great phone 5 years ago, but seriously, it isn't powerful enough to run anything later than Android 2.3. I doubt anything with that CPU is. Even cyanogenmod support stopped at CM7
Re: (Score:2)
and so, I am running quite old software on a mobile computer and unless I pay for new hardware (my old hw works fine, still) I can't get updates.
The hardware may work fine but there is no appropriate software to run on it. So ultimately is your privacy worth a couple hundred dollars every year or so?
essentially its abandonware. hundreds of dollars and I have a device that won't ever get updated even though there's not a single good reason for that.
The code is all there, it's open source but nobody wants to maintain it and nobody wants to pay anybody to maintain it. What do you think is going to happen to it? It isn't going to maintain itself.
Re: (Score:1)
Stop posting all those Windows 10 OMG!!! threads.
Re: (Score:2)
assholes p.s. mod me down -1
Thanks
Honest question. (Score:2)
Re: (Score:2)
Taking your question at face value:
Re: (Score:2)
They need to be going out of their way to make this more of a problem than it should be. No modern OS should be crashing simply because one of it's apps ran amok. This isn't 1981.
Unix + media player should not be able to crash the OS unless they took extra special measures to make the OS vulnerable.
Re: (Score:2)
Unless you end up sending junk to the GPU and it locks up the entire SoC?
Just a guess, but who knows... or perhaps it sends junk data to a kernel module?
Re: (Score:2)
Can someone explain why the program handling interaction with assorted media files would be so closely linked to the rest of the system working?
Because 1) programmers are lazy and 2) management doesn't want them to "waste time" programming all those pesky security checks.
Re: (Score:2)
The reason is because when a core system process crashes on android, the system automatically restarts it.
This is normally a good thing - but if you have a scenario where you've done something that will cause a process to crash on start (which is what this thing is), the process restarts and restarts over and over indefinitely, essentially locking you out of the UI. Command line access via ADB is unaffected.
Anyone who has messed around with custom ROMs has likely seen this behaviour many times by flashing a
Re: (Score:2)
I could see how something that hooks into a video device driver for hardware assisted decoding could bork the OS because at that point you've cross the user barrier. This just seems to be a problem of unraveling the wrapper format. Nothing about that should render the OS crash prone.
Re: (Score:2)
This is what happens when you let an advertising agency write your software.
What? (Score:2)
From the TFA (Score:2)
Trend Micro reported to flaw in May, it said, but Google assigned it a low priority.
So, publishing it will presumably make them move the priority up? AFAIK, if the attacker could register the properly crafted MKV to play on start, you'd be in a bricked phone situation, factory reset, fixed done.
Tell me (Score:2)
how i can disable MMS. In the whole last 9 years when the phones i used supported MMS, i think i used the feature 3 times:
* one time for test
* two times to receive a train ticket (now they switched to internet+app)
I have no clue why i should use MMS. I use SMS a lot (since it works with all phones).
no need for this feature.