Stagefright Patch Incomplete and Zero Day in Android Google Admin App Found

msm1267 writes: A patch distributed by Google for the infamous Stagefright vulnerability found in 950 million Android devices is incomplete and users remain exposed to simple attacks targeting the flaw. Researchers at Exodus Intelligence discovered the issue in one of the patches submitted by Zimperium zLabs researcher Joshua Drake. Google responded today by releasing a new patch to open source and promising to distribute it next month in a scheduled OTA update for Nexus devices and to its partners. Drake's original patch failed to account for an integer discrepancy between 32- and 64-bit, Exodus Intelligence said. By inputting a specific 64-bit value, researchers were able to bypass the patch. Exodus, which submitted a bug fix of its own to Google, said it decided to go public with its findings for several reasons, including the fact that the vulnerability was widely publicized by Zimperium before and during Black Hat, not to mention that Google has had the original bug report since April, yet neither party noticed the discrepancy in the patch. The Android security team at Google is having a busy month. Trailrunner7 writes: Researchers at MWR Labs have released information on an unpatched vulnerability that allows an attacker to bypass the Android sandbox.

Exodus is wrong

[swillden]

Exodus is wrong.

The flawed patch they mention in their post isn't the one being pushed to devices. What makes this funny is that the correct patch is in AOSP, for everyone to see. What Exodus posted is the patch that jduck suggested. And it's in AOSP here. But Google further updated it with this, which fixes the flaw Exodus noticed in jduck's fix.

There are still some known ways to crash libstagefright, but they're assertion crashes. They crash safely, no possibility of exploitation.