Stagefright security flaw in Android may have good consequences in the end...

blankslate

Diamond Member
Jun 16, 2008
8,777
556
126
http://www.theverge.com/2015/8/5/9099627/google-stagefright-android-vulnerability-protect-patch

It's been 10 days since Zimperium's Joshua Drake revealed a new Android vulnerability called Stagefright — and Android is just starting to recover. The bug allows an attacker to remotely execute code through a phony multimedia text message, in many cases without the user even seeing the message itself. Google has had months to write a patch and already had one ready when the bug was announced, but as expected, getting the patch through manufacturers and carriers was complicated and difficult.

But then, something unexpected happened: the much-maligned Android update system started to work. Samsung, HTC, LG, Sony and Android One have already announced pending patches for the bug, along with a device-specific patch for the Alcatel Idol 3. In Samsung's case, the shift has kicked off an aggressive new security policy that will deploy patches month by month, an example that's expected to inspire other manufacturers to follow suit. Google has announced a similar program for its own Nexus phones. Stagefright seems to have scared manufacturers and carriers into action, and as it turns out, this fragmented ecosystem still has lots of ways to protect itself.

That still doesn't mean patches will be immediate, but it means they'll arrive in weeks instead of months, giving attackers less and less time to exploit newly discovered bugs. At the same time, Android mitigation efforts are making vulnerabilities harder and harder to exploit. Even in its current form, Stagefright has had trouble getting around Android's Address Space Layout Randomization protections (commonly known as ASLR). The bug can still be used to trigger unauthorized code — a troubling result under any circumstances — but ASLR system has made it difficult to reliably run any specific piece of code across a range of devices, a difficulty acknowledged by Drake himself.

Hey guys! Instead of redoing/reproducing my work, why don't you see if you can bypass ASLR via Stagefright!
— Joshua J. Drake (@jduck) August 3, 2015

The manufacturers working with Google will hopefully make Android safer. There is still the issue of when older models will get security patches but it looks like carriers are pushing out fixes for the exploit on newer phones first and that even some older models will also get patches according to the image below

http://www.androidcentral.com/att-p...loit-galaxy-s6-active-note-4-s5-and-s5-active

2000645187.jpeg


From various other forum posts I've read about the update it's designed to fix the version of the OS that is normally on the phone. So if a phone that gets the fix is on 5.0.1 it won't update to a newer Android version if the phone isn't scheduled for one.

According to the first link some carriers are also taking available steps to mitigate the exploit. For example Deutsch Telekom has disabled all MMS automatic retrieval so that users must manually download them if they want to see them.

A monthly patch cycle similar to other OSes is a welcome development. The other option might have been smartphone users going to Apple phones if Google was the only entity moving on the issue.


.....