Android media-indexing bug opens door for DoS attacks
Remember back in the early days of computing when the general rule of thumb was “only executable files can be malicious?” Sure, if you downloaded some sketchy software from a backwater website you ran the risk of compromising your machine, but non-executable files – things like pictures and music – were generally considered safe. The world’s changed a lot since then, as as operating systems become more complex, even these once-innocuous file types are now emerging as potential agents for mischief themselves. We just shared with you news about an Android vulnerability arising through video content in MMS messages, and today we’re learning about another video-related attack, one that arrives via MKV files.
The glitch deals with how Android’s Mediaserver service indexes MKV video, and a specially crafted MKV file can cause an overflow that crashes the service, kills system audio output, and can cause the UI to slow down or stop responding to user input altogether.
Were an app to embed such an MKV file within it, and run on system startup, it could effectively lock users out of their phones. Even embedded videos on websites can trigger the exploit, despite Chrome’s protections.
Google’s aware of the problem and has classified it as a low priority vulnerability; as of now, there doesn’t appear to be a published fix. Systems running Android 4.3 up through the current 5.1.1 release are reportedly affected.