Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zimperium Releases Stagefright Detection Tool and Vulnerability Demo Video

Posted by samzenpus on from the give-me-the-stats dept.

Mark Wilson writes: We've already looked at the Stagefright vulnerability, discovered by Zimperium, and shown what can be done to deal with it. Affecting up to 95 percent of Android devices, the vulnerability has led to Google and Samsung announcing monthly security updates. Now the mobile security company has released additional details about how the exploit works. To help explain the vulnerability, a video has been produced which uses a Stagefright demonstration to illustrate it in action. Zimperium has also released an Android app that checks devices for the vulnerability.

8 of 54 comments (clear)

  1. The mighty have fallen by TWX · · Score: 3, Insightful

    A security vulnerability discussion on Slashdot that's over 30 minutes old and has no posts relevant to the content (including this one), and instead has three trolls, one reaction to a troll, and one comment on the fall of Slashdot.

    I really did not expect to see this.

    --
    Do not look into laser with remaining eye.
  2. I ran it by drinkypoo · · Score: 2

    Well, on my Transformer Prime, anyway. The unlock tool doesn't work on it, so I have quite an uphill battle ahead of me upgrading it...

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:I ran it by garryknight · · Score: 2

      I ran it too and what the app told me wasn't immediately useful. When I checked on Google Play, others had said the same. So I installed Lookout Security's Stagefright detector and it not only told me my devices were vulnerable, it also linked to helpful instructions to change my settings and avoid the problem.

      You can install it from here: https://play.google.com/store/...

      Lookout's blog page has details about the app and how to make sure your messaging apps are safe from the exploit: https://blog.lookout.com/blog/...

      If you use a third-party messaging app you will have to follow the general instructions given on the blog page to find the settings specific to your particular app. I should point out that Textra has already fixed the problem from their end. Here's what the app showed me: http://i.imgur.com/36G7o0t.png

      I don't know if it's possible for someone to remotely install the Stagelight vulnerability on your device and then use the device to send exploited messages to everyone on your Contacts list, but if I thought of that then you can bet someone else will.

      --
      Garry Knight
  3. Isn't this pointless for the average user? by timrod · · Score: 3, Interesting

    From what I understand, Stagefright is a bug that can only be removed in one of two ways: either by an update from the manufacturer of your device, or rooting your device and manually removing the image viewer that Stagefright uses as a vector. There's really nothing an average (non-rooting) user can do to fix their devices but wait, and nothing they can really do to stop it happening to them short of turning their device off completely and preventing it from getting texts. Sure, it'll tell them that their device is vulnerable, but it's a case of "You're vulnerable to Stagefright and can do absolutely nothing about it short of rooting your device until your device manufacturer decides to release an update."

    1. Re: Isn't this pointless for the average user? by Anonymous Coward · · Score: 2, Insightful

      Just disable MMS auto-retrieve instead.

  4. Google and Samsung announcing ... by TheGratefulNet · · Score: 4, Interesting

    >Google and Samsung announcing monthly security updates

    I call bullshit.

    until they take security seriously (which means backporting fixes to old os's in phones) this is worse then bullshit. its acting like a real fix when, in fact, its stil business as usual. phones will not get updates if the vendor wants to force you to re-re-rebuy yet another phone.

    when there is a push to keep selling you things that you already have, you will NOT get software updates or support.

    the model is broken by design. apple has it mostly right (although they also actively try to force upgrades on hardware by EOLing perfectly good and working hw) but android/google fucked the chicken, here. they decided to make a monolithic system out of the non-monolithic linux base and there's no fixing this broken-by-design idea. vendors are enjoying their wild-west view of things and anything goes! consumer protection is a thing that we used to have 20+ yrs ago, but no one cares about us anymore.

    looking to google to help secure things? HA! samsung? DOUBLE HA!

    both are jokes when it comes to software QUALITY. such a shame, too, that such rich companies don't give time or energy to things that truly are important to users.

    --

    --
    "It is now safe to switch off your computer."
    1. Re:Google and Samsung announcing ... by Dutch+Gun · · Score: 2

      I think they're being forced into this by mounting public/press pressure. They're going through the same discovery process that creators of PC software, browsers, and operating systems went through a decade ago (or more recently with Adobe and Oracle). If a company like Microsoft can get their shit together security-wise, then so can Google and other Android manufacturers. It just requires a fairly serious commitment. Whether this is real or marketing bullshit will become clear soon enough.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  5. Ethical Hacking by SuperKendall · · Score: 2

    I'm not saying they should have done it, because of legal exposure, but...

    It would have been pretty cool if the Stagefright detection app, also used the vulnerability to patch your system in some way.

    I wonder how that would have been received, if it had all worked perfectly and not screwed something up.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley