Android's very bad no good day... (extremely serious sms/mms flaw)

[blankslate]

http://arstechnica.com/security/201...s-can-be-hijacked-by-malicious-text-messages/

The vulnerability affects about 950 million Android phones and tablets, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium. It resides in "Stagefright," an Android code library that processes several widely used media formats. The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.

http://www.androidcentral.com/stagefright-exploit-what-you-need-know

It looks like people might have to block all messages or at the very least uncheck the auto-retrieve mms messages in the messenger app they use in android if the option is available. AFAIK that option only stops some of the exploits that can be used which would take advantage of this serious vulnerability in android

.....

 

[lxskllr]

Wonder what would happen if you just disabled stagefright? From the bit I've read, it looks like doing that would disable all audio/visual.

 

[Chiefcrowe]

hmm, I wonder what the plans are to fix this?

 

[Elixer]

I would think that pretty much all OEMs will release a patch.
Main issue that I see is, all the devices that can't be updated easily, and if this will end up in court if they don't offer a way to fix it.

 

[Chiefcrowe]

That makes sense. You're right though, what about the stuff that is close to or at EOL?
It seems like the galaxy s3, for example, is not really being updated anymore.

 

[KeithP]

When I receive a MMS message through Google Voice, the attachment goes to my email's inbox not the text message app so I assume my GV number is safe.

On my actual mobile number I will just block MMS. I guessing that is simplest short term solution for most folks.

-KeithP

 

[Elixer]

A billion Android phones are vulnerable to new Stagefright bugs
Stagefright 2.0, as it's being dubbed by researchers from security firm Zimperium, is a set of two bugs that are triggered when processing specially designed MP3 audio or MP4 video files. The first flaw, which is found in the libutils library and is indexed as CVE-2015-6602, resides in every Android version since 1.0, which was released in 2008. The vulnerability can be exploited even on newer devices with beefed up defenses by exploiting a second vulnerability in libstagefright, a code library Android uses to process media files. Google still hasn't issued a CVE index number for this second bug.

When combined, the flaws allow attackers to used booby-trapped audio or video files to execute malicious code on phones running Android 5.0 or later. Devices running 5.0 or earlier can be similarly exploited when they use the vulnerable function inside libutils, a condition that depends on what third-party apps are installed and what functionality came preloaded on the phone.

http://arstechnica.com/security/201...hones-are-vulnerable-to-new-stagefright-bugs/

I am shocked I haven't seen any class action law suits for this yet...Out of all the android devices I have, 0 of them have had any updates at all.
1 billion is a ton of devices...

 

[Zodiark1593]

What are the odds older phones will have this security flaw fixed?