I also was wondering about this. Big messy blocks of C code for media
decoding are exactly the place I would go to look for buffer overflow
problems. I'm sure this isn't the last time a buffer overflow will be
found in some media decoder code in Android. It's a huge amount code
with complicated branch conditions. Android really should either use
media decoders that are written in a managed-memory language (Java or
Go), or somehow isolate media decoding as a separate process with a
locked-down user. But until one of those two things happens, it's going
to be a vulnerability.

I wonder if this same media decoder vulnerability could also be accessed
by sending an email attachment.

Hey Arun, unfortunately there are no details about the vulnerability
available. Maybe it's really bad, maybe it's all hype.

Supposedly the vulnerability is in stagefright, which is the Android
framework responsible for audio/video encoding/decoding and playback.
TextSecure doesn't do any pre-processing of received audio/video
messages, so it seems unlikely that a vulnerability in stagefright could
be triggered simply by sending audio/video to a TextSecure user.

TextSecure plays audio/video by handing it to the system's default media
player. If there's a stagefright vulnerability, it's possible that the
system's default media player is vulnerable. From TextSecure, that
interaction should only happen by physically tapping on an audio/video
attachment, then tapping through a warning dialog about insecure
playback. At that point, it's out of our hands.

- moxie