Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices

← Back to Stories (view on slashdot.org)

Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices

Posted by timothy on Thursday October 1, 2015 @03:40AM from the imagine-the-whole-audience-is-naked dept.

msm1267 writes: Security researcher Joshua Drake today disclosed two more flaws in Stagefright, one that dates back to the first version of Android, and a second dependent vulnerability that was introduced in Android 5.0. The bugs affect more than one billion Android devices, essentially all of them in circulation. One of the vulnerabilities was found in a core Android library called libutils; it has been in the Android OS since it was first released and before there were even Android mobile devices. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities. Google has released patches into the Android Open Source Project tree, but public patches are not yet available.

123 comments

Min score:

Reason:

Sort:

Stagefright by tripleevenfall · 2015-10-01 03:51 · Score: 3, Funny

It's always been the audience that scares me, not the stage.
Call for mass-forking of Android by TheDarkener · 2015-10-01 03:53 · Score: 1, Insightful

One of the great strengths of GNU/Linux is its diversity. Like biological life, it is constantly changing, morphing and becoming something new. And also like biological life, constantly changing helps protect against "bad stuff".
I hereby call for a "fork-fest" of Android - everybody make your own distribution of Android, remove code, add code, make it different. Android is sort of lip-service to the open source ecosystem. I'm not saying that this vulnerability is a result of that lip service, but I'd really like to see many, many other versions of Android out there - it's inevitable that the whole will become stronger because of it.
Because if everyone ate the same food we'd all probably die from the next super-virus that makes its rounds.

--
It is pitch black. You are likely to be eaten by a grue.
1. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-01 04:03 · Score: 3, Funny
  
  Yeah! Let's have loads of different new vulnerabilities to deal with. And the fragmentation of different versions of Android isn't enough, so let's add a fuckton of forked versions into the mix to spice things up.
  Inevitable that the whole will become stronger? Android (hardly forked) is wildly successful as is, Linux (heavily forked) is wildly unsuccessful on the desktop. Let's please not take Android down the path of desktop Linux.
  Jeez. It'd be less fork-fest and more bug-kakke.
  (sorry, just had to slip that one in).
2. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-01 04:03 · Score: 0
  
  They already have a bunch of different versions... There's CyanogenOS, PrivatOS (for the blackphone), Fairphone's version (don't know what it's called), Xiaomi's MIUI and may more version of Android that haven't gotten much traction over the years. What you're calling for has already been done and continues to be done.
  FYI, there was even a Linux Gizmos article on 2 of these variants yesterday (http://linuxgizmos.com/forked-android-smartphones-advance-to-second-generation/)
3. Re:Call for mass-forking of Android by peragrin · 2015-10-01 04:05 · Score: 0
  
  That the problem android is already massively fragmented every device / carrier combo is a unique device with its own update rules
  That's why nexus devices get updates and nothing else does. The carriers won't update jack shit as that is like work.
  It is why Apple has such high new is and security update rates. They told the carriers to fsck off.
  
  --
  i thought once I was found, but it was only a dream.
4. Re:Call for mass-forking of Android by tripleevenfall · 2015-10-01 04:17 · Score: 3, Insightful
  
  Fragmentation is one of Android's weaknesses, not a strength.
  Calling for more fragmentation makes no sense. It would leave people stuck on islands where features lag behind, incompatibilities abound, and no fixes will be available for future vulnerabilities. Fragmentation makes the problem worse, not better.
  The point isn't to emulate a walled garden, nor is it to have everyone brew their own a la Linux. The point is to make the user experience close to the simplicity and compatibility of the walled garden, while still preserving the open platform.
5. Re:Call for mass-forking of Android by tripleevenfall · 2015-10-01 04:18 · Score: 3, Insightful
  
  The carriers are only going to do the minimum for each device. Why would they invest development time in a device that isn't for sale anymore?
6. Re:Call for mass-forking of Android by Lumpy · 2015-10-01 04:24 · Score: 1
  
  I so wish that the next version of android that google tells carriers to fuck off.
  I am so done with the baked in crap from HTC/Samsung/etc and the deviation from pure android get's so bad that some like HTC confuses some people.
  New version require it to be pure with NO apps baked in and permanent or they cant advertise or use the name "android" in any way. It will force them all overnight to stop it. They also need to force them to push out updates 15 days after google does or lose the rights across all products.
  
  --
  Do not look at laser with remaining good eye.
7. Re:Call for mass-forking of Android by rickb928 · 2015-10-01 04:24 · Score: 2
  
  My M8 is running Android 5.0.1, not the latest, but not what it was born with (4.4.2).
  Lots of phones get updates, but lots of lower performance phones do not, for obvious reasons. And unpopular phones ditto.
  The carriers do abandon phones regularly, but not universally.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
8. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-01 04:27 · Score: 0
  
  One of the great strengths of GNU/Linux is its diversity. Like biological life, it is constantly changing, morphing and becoming something new. And also like biological life, constantly changing helps protect against "bad stuff".
  I hereby call for a "fork-fest" of Android - everybody make your own distribution of Android, remove code, add code, make it different. Android is sort of lip-service to the open source ecosystem. I'm not saying that this vulnerability is a result of that lip service, but I'd really like to see many, many other versions of Android out there - it's inevitable that the whole will become stronger because of it.
  Because if everyone ate the same food we'd all probably die from the next super-virus that makes its rounds.
  Fragmentation is the reason hundreds of millions of Android devices will NEVER be updated to remove this vulnerability.
9. Re:Call for mass-forking of Android by gstoddart · 2015-10-01 04:27 · Score: 2
  
  It will also force them to find a new platform.
  Do you thing either the OEMs or the carriers are going to stop doing this?
  Brand differentiation, monetization, vendor lock in ... all of these things say these companies have no interest in selling a vanilla version of Android. What's in it for them? Samsung has their own store, their own apps and ecosystem, and want people locked into Samsung.
  I agree with the sentiment, but if you think it'll happen you're kidding yourself.
  
  --
  Lost at C:>. Found at C.
10. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-01 04:30 · Score: 0
  
  I hope you were agreeing with me, rather than missing my rather obvious sarcasm. ;)
11. Re:Call for mass-forking of Android by mwvdlee · 2015-10-01 04:33 · Score: 1
  
  And how exactly does this solve the problem of hardware manufacturers not updating locked firmware?
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
12. Re:Call for mass-forking of Android by mwvdlee · 2015-10-01 04:34 · Score: 0
  
  A sense of moral responsibility?
  Nah, I'm just kidding! :)
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
13. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-01 04:34 · Score: 0
  
  I'm not sure that I ever expected anything from the carriers (especially for tablets and the like that are wifi-only), since people switch carriers like women switch shoes. But I do expect better from the manufacturers, and am not likely to buy any Android devices in the future (as I'm not aware of any difference between the various manufacturers of Android devices wrt security updates).
14. Re:Call for mass-forking of Android by macs4all · 2015-10-01 04:38 · Score: 0
  
  Yeah! Let's have loads of different new vulnerabilities to deal with. And the fragmentation of different versions of Android isn't enough, so let's add a fuckton of forked versions into the mix to spice things up.
  Inevitable that the whole will become stronger? Android (hardly forked) is wildly successful as is, Linux (heavily forked) is wildly unsuccessful on the desktop. Let's please not take Android down the path of desktop Linux.
  Jeez. It'd be less fork-fest and more bug-kakke.
  (sorry, just had to slip that one in).
  You are exactly correct, which is why none of the Fandroid-Mods will Mod you up.
15. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-01 04:43 · Score: 1
  
  A sense of moral responsibility?
  Nah, I'm just kidding! :)
  Now that made me laugh. It's sad that the idea of moral responsibility for a corporation is so absurd.
16. Re:Call for mass-forking of Android by macs4all · 2015-10-01 04:44 · Score: 1
  
  The point isn't to emulate a walled garden, nor is it to have everyone brew their own a la Linux. The point is to make the user experience close to the simplicity and compatibility of the walled garden, while still preserving the open platform.
  Unfortunately, the "Curated Collection" (a/k/a "Walled Garden") approach and the "Free-for-All" (a/k/a "You asked for it") approach appear to be mutually-exclusive.
  
  Android tries to split the difference now as it is, by having the User have to "disable" the "Only From Play Store" download switch (or is it the other way around?) but that simply doesn't work, mainly because even very significant percentages of Play Store Apps have been found to be unsafe.
  
  Face it. Android's Security Model is a shambles, and although they have (finally!) emulated iOS's Security Model ('bout time!), most of the Android Devices in the field right now will NEVER see those changes.
17. Re:Call for mass-forking of Android by macs4all · 2015-10-01 04:47 · Score: 0
  
  They already have a bunch of different versions... There's CyanogenOS, PrivatOS (for the blackphone), Fairphone's version (don't know what it's called), Xiaomi's MIUI and may more version of Android that haven't gotten much traction over the years. What you're calling for has already been done and continues to be done.
  FYI, there was even a Linux Gizmos article on 2 of these variants yesterday (http://linuxgizmos.com/forked-android-smartphones-advance-to-second-generation/)
  Yeah, that's the ticket: Trade broken "Official" Android versions with "Who the fuck knows?" versions from Jailbreakers.
  
  Psst! Hey buddy: Wanna buy a REALLY SECURE version of Android? Come on over to this site. All ya gotta do is Jailbreak your phone's bootloader, sideload this REALLY SECURE version of Android, and everything will be A-Ok, I PROMISE...
18. Re:Call for mass-forking of Android by macs4all · 2015-10-01 04:48 · Score: 1
  
  The carriers are only going to do the minimum for each device. Why would they invest development time in a device that isn't for sale anymore?
  Um, because Apple does?
19. Re:Call for mass-forking of Android by InlawBiker · 2015-10-01 04:48 · Score: 1
  
  Fragmentation isn't the problem. Even if somebody built a secure fork who would adopt it? Not Google. Not Samsung. Android is fundamentally built without security in mind. This is just the beginning of the Android flaws, they could be coming for years. It needs a complete audit and overhaul. Jezus now I have to fork over almost a grand to Apple so I can do my job safely!
20. Re:Call for mass-forking of Android by FatdogHaiku · 2015-10-01 04:49 · Score: 1
  
  Jeez. It'd be less fork-fest and more bug-kakke.
  Well... That's an image I didn't need...
  never gonna look at my phone the same way again...
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
21. Re:Call for mass-forking of Android by macs4all · 2015-10-01 04:50 · Score: 1
  
  I so wish that the next version of android that google tells carriers to fuck off. I am so done with the baked in crap from HTC/Samsung/etc and the deviation from pure android get's so bad that some like HTC confuses some people.
  New version require it to be pure with NO apps baked in and permanent or they cant advertise or use the name "android" in any way. It will force them all overnight to stop it. They also need to force them to push out updates 15 days after google does or lose the rights across all products.
  Apple did it. What's Google's problem?
  
  Does anyone here even SLIGHTLY believe that Google doesn't have as much negotiating leverage as Apple?
22. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-01 04:53 · Score: 0
  
  So don't buy cheap low end cost-cutting Android devices?
  Practically all medium to high-end devices got their first StageFright patch faster than APL fixes their bugs LOL
23. Re:Call for mass-forking of Android by macs4all · 2015-10-01 04:53 · Score: 1
  
  And how exactly does this solve the problem of hardware manufacturers not updating locked firmware?
  Do you really think that the OEMs don't have the "magic key" that unlocks the unlockable?
  
  Because if not, and they REALLY have to get out the JTAG programmer and open up each and every phone, then those OEMs should be taken out back, stripped, and introduced to goatse...
24. Re:Call for mass-forking of Android by penguinoid · 2015-10-01 04:53 · Score: 1
  
  One of the great strengths of GNU/Linux is its diversity. Like biological life, it is constantly changing, morphing and becoming something new. And also like biological life, constantly changing helps protect against "bad stuff".
  You're confusing evolution with Intelligent Design. Constantly changing, even randomly, is a valid way to outwit a slowly evolving creature -- but for software, it means constantly risking the introduction of new flaws. In biology, just about any change means the enemy has to slowly evolve to take advantage of it -- but for software, you face intelligent attackers. Software has an advantage compared to biology -- well-made software provides an impermeable defense, that can't be breached unless you convince the idiot at the gate to let in a trojan horse. Although apparently no one can be bothered to actually write secure code, we certainly can patch any flaws found, which is almost as good if done in a timely manner.
  As for diversity, the analogy holds more closely; a flaw in one need not mean a flaw in the other, and any exploit is less valuable, but it is more likely that one or the other is exposed. However, in software it also means that developer time is split up among the diversity, besides causing compatibility problems.
  What we need is a fork with proper permissions management, which will be unpopular for advertisers and need-to-read-your-contacts-list flashlight apps.
  
  --
  Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
25. Re:Call for mass-forking of Android by TheRaven64 · 2015-10-01 04:54 · Score: 1
  
  The problem is phones sold by the carrier, which are then customised. Apple doesn't allow this kind of customisation, so there's no reason for the carrier to the anywhere on the upgrade path. Most Android vendors do, which means that you have to get the firmware upgrades from them, rather than the manufacturer. If you buy one directly, then manufacturers vary wildly (and so do devices from the same manufacturer) in how timely they are in pushing updates. And they're all pretty bad, so there's no much incentive to compete.
  
  --
  I am TheRaven on Soylent News
26. Re:Call for mass-forking of Android by TheRaven64 · 2015-10-01 04:56 · Score: 1
  
  I so wish that the next version of android that google tells carriers to fuck off. I am so done with the baked in crap from HTC/Samsung/etc and the deviation from pure android get's so bad that some like HTC confuses some people.
  Are you complaining about carriers or manufacturers? Google can't tell manufacturers (HTC/Samsung/etc) to fuck off, because they're the ones that build the device. There are already fairly strict restrictions on what you can do if you want to include the Play store (i.e. you have to install all of the other Google crap), which is what's pushing Samsung to fork Android, but the core open source OS is... open source.
  The manufacturers, on the other hand, could tell the carriers to fuck off, and not provide support for installing carrier-supplied shovelware on phones bought through the carrier.
  
  --
  I am TheRaven on Soylent News
27. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-01 04:57 · Score: 1
  
  Uhm... You know that a tens of thousands of malware / spyware apps trampled that walled garden a week or two ago, right?
  There has been a bunch of apps that should not have been allowed on the store but made it in on top of that (even though they were found useful, but that's not the point)... things like the secret flashlight tethering app a couple years ago, that security researcher who had 10-100k users download his potentially malicious command-and-control center?
  Are you seriously still believing that i things are immune to malware?
28. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-01 05:04 · Score: 0
  
  So is that why you can regularly jb your devices? You know that's a security flaw that can be used by malware and viruses, right?
29. Re:Call for mass-forking of Android by macs4all · 2015-10-01 05:08 · Score: 0
  
  The problem is phones sold by the carrier, which are then customised. Apple doesn't allow this kind of customisation, so there's no reason for the carrier to the anywhere on the upgrade path. Most Android vendors do, which means that you have to get the firmware upgrades from them, rather than the manufacturer. If you buy one directly, then manufacturers vary wildly (and so do devices from the same manufacturer) in how timely they are in pushing updates. And they're all pretty bad, so there's no much incentive to compete.
  Thanks Captain Obvious.
  
  So, since you have (correctly) identified the problem, why hasn't Google fixed it?
30. Re:Call for mass-forking of Android by 0123456 · 2015-10-01 05:10 · Score: 2
  
  Practically all medium to high-end devices got their first StageFright patch faster than APL fixes their bugs LOL
  I think my phone got it last week. But I'm not sure, because my carrier doesn't even tell me what bugs their new OS updates have fixed. I may or may not have if on my Nexus 7. I know I don't have it on any of my other Android devices, because manufacturers have abandoned them.
  I know I got the latest Apple bug-fixes on my iPad, because it downloaded last night, and said what it fixed.
  Android security updates are a complete clusterfsck. Enough that my next phone is more likely to be Windows than Android (but more likely to be Apple than either).
31. Re:Call for mass-forking of Android by macs4all · 2015-10-01 05:18 · Score: 4, Informative
  
  Uhm... You know that a tens of thousands of malware / spyware apps trampled that walled garden a week or two ago, right?
  Tens of thousands? REPUTABLE Citation, please?
  
  There has been a bunch of apps that should not have been allowed on the store but made it in on top of that (even though they were found useful, but that's not the point)... things like the secret flashlight tethering app a couple years ago, that security researcher who had 10-100k users download his potentially malicious command-and-control center?
  Are you seriously still believing that i things are immune to malware?
  I (and Apple) never said iOS Devices are IMMUNE from Malware; but I think that iOS' track record in that regard speaks for itself.
  
  Plus, I love the way that Fandroids keep harping on the VERY few examples of things slipping past (having to go back YEARS to find one or two examples of Trojans that made it through Apple's Approval Process, and blithely IGNORE the metric buttload of (also see the links in that article) malware-containing Apps in the Android ecosystem, a good number of which are, or until recently, when Google started getting more serious about vetting Apps, were available in the Play Store.
32. Re:Call for mass-forking of Android by tripleevenfall · 2015-10-01 05:22 · Score: 1
  
  There's no one standing between an iPhone user and Apple disrupting the process. The user's phone is connected directly to the vendor, who can push updates to it without interference.
  As a result, a user who bought an iPhone 4S in 2011 is still on the latest and greatest today. Someone who bought a Galaxy S2 in 2011 was left at Jelly Bean.
33. Re:Call for mass-forking of Android by MachineShedFred · 2015-10-01 05:28 · Score: 1
  
  Not necessarily for corporations, but definitely for telcos.
  They've had no sense of moral responsibility since telegraphs were in use.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
34. Re: Call for mass-forking of Android by Anonymous Coward · 2015-10-01 05:29 · Score: 0
  
  How nice of them. One version bump. I bet you won't be able to get 6.0.
35. Re:Call for mass-forking of Android by MachineShedFred · 2015-10-01 05:30 · Score: 2
  
  Probably market dynamics. Google doesn't have relationships directly with carriers except for with the Nexus devices. The carriers deal with the OEMs, and the OEMs deal with Google. Google has all the muscle, and none of the standing to get it done. The OEMs have none of the muscle, but all of the standing.
  As Apple plays both the part of Google and OEM in their ecosystem, they have both the muscle and standing.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
36. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-01 05:35 · Score: 0
  
  Google doesn't deal directly with the telcos, except in the case of Nexus.
  Telcos buy phones from the OEMs, the OEMs license the OS from Google. Google can't force the telcos to do shit without throwing all the OEMs under the bus and making them seriously consider moving to a competing platform, or in the case of Samsung, get whole-hog behind Tizen.
37. Re:Call for mass-forking of Android by TheGratefulNet · 2015-10-01 05:36 · Score: 1, Troll
  
  I continue to hate on google.
  a friend convinced me to try a 'new' android phone (older used one but a few gens back so its now affordable). my one and only android, the N1, is stuck at 2.2 or something equally ancient and I'm tired of that being such a POS.
  refurb phone came with 4.4. I rooted it (lg g2) and installed twrp recovery (not easy at all, for some reason) and then a custom rom based on 4.4, supposedly with lots of fixes.
  I then find out that vpn is broken (by design) in ALL 4.4 codebases. everyone complains about this, if you search on it. google broke an api or something and nothing works anymore for vpn.
  I bought a 2nd phone of the same type as a spare. that one came with 5.0 installed. tried the custom rom for that version and vpn works; but the led indicator won't work (at all) for newmail or unaswered calls.
  so, I get to pick which version I run; broken vpn but all else (mostly) working or broken led but vpn does work.
  sigh. this was supposed a good phone, too. its been out long enough so it should be stable but its not. god know what else is broken but I have not found it yet.
  stock os is not any better and has bloat which needed to be removed, anyway.
  when I searched for the vpn issue, it seems that google has left this open for more than a year, unfixed! their reply: essentially saying 'go to 5.x and abandon 4.x'.
  great. just great. I can do that but many others can't, and the led indicator is broken on 5.x, with no fix in sight that I can find.
  android is a fucking mess. a total steaming pile of shit. the reason people put up with this is because there are not many other choices. few want any part of MS anymore, many (like me) don't love apple; and so there's nothing really left anymore but android ;(
  a year and no vpn fixes. 4.3 worked (from what I've read). 4.4.* broke it. there is nothing newer than that in the 4.x train (is there?). 5.x is a mess, as well.
  this does not even address the security issue (SF). if I want a fix for this, I'm essentially on my own. I have not seen any fixes for this phone yet and since its 'old' now, I doubt I will.
  thanks google. you are THE 'short attention span' poster child of the century. you have the talent to be a good vendor but you seem to not care! how sad. strong ability but you lack focus and you give up on things PEOPLE ACTUALLY USE and just move onto the next shiny thing.
  sigh. android will continue to be a mess and a nexus does not guarantee anything about patches or support. google just has no reason to care about you. they don't get paid by you, they are not working for you and whatever they throw over the wall, the fanboys will think its great no matter what.
  
  --
  
  --
  "It is now safe to switch off your computer."
38. Re:Call for mass-forking of Android by swv3752 · 2015-10-01 05:45 · Score: 1, Informative
  
  Unless you bought a Nexus device, most of the issues you mention are the fault of the Vendors and the carriers, not Google.
  
  --
  Just a Tuna in the Sea of Life
39. Re:Call for mass-forking of Android by idontgno · 2015-10-01 05:48 · Score: 1
  
  Because if not, and they REALLY have to get out the JTAG programmer and open up each and every phone, then those OEMs should be taken out back, stripped, and introduced to goatse...
  Tell you what.
  You do whatever you can to fulfill this entertaining bit of justice. And the wireless companies will spend a small portion of their significant wealth to buy whatever it takes to prevent the occurrence of this. Which one wins?
  Yeah, in a just world, Android users wouldn't be held captive by wireless providers that won't let you on their network with closed-ROM phones, and take no responsibility for the closed-ROM phones they sell you beyond selling you the next one, "THIS ONE NOT VULNERABLE TO THOSE EXPLOITS."
  This isn't a just world. Money walks, good intentions (and Internet poseurs spouting noise about vigilantism) just talks.
  The reality on the ground is this: a large subset of the > 1 billion current Android devices will never be free of this vulnerability. And that's ok by the manufacturers and network providers, because it's a market opportunity.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
40. Re: Call for mass-forking of Android by Anonymous Coward · 2015-10-01 06:00 · Score: 0
  
  I own three iPod Touches, none of which Apple supports now. The newest one fell out of support a little less than a year after I bought it new.
41. Re:Call for mass-forking of Android by mlw4428 · 2015-10-01 06:01 · Score: 1
  
  Software isn't food and it isn't alive. Forking is a terrible idea. Phone carriers would never let forks run on their networks, knowingly, for various reasons. Also forking Android doesn't mean the flaws would all suddenly go away. What if the flaw was in a base part of the code? Other flaws could be introduced as well. All you're doing is spreading the risk, not fixing the problem.
42. Re:Call for mass-forking of Android by macs4all · 2015-10-01 06:07 · Score: 1
  
  Probably market dynamics. Google doesn't have relationships directly with carriers except for with the Nexus devices. The carriers deal with the OEMs, and the OEMs deal with Google. Google has all the muscle, and none of the standing to get it done. The OEMs have none of the muscle, but all of the standing.
  As Apple plays both the part of Google and OEM in their ecosystem, they have both the muscle and standing.
  I agree that Google let the horse out of the barn in the beginning; but maybe the OEMs, if not the Carriers, will change their tune if enough migration away from Android happens.
  
  It that world, even a 1% migration amounts to hundreds of thousands, if not a few million, lost sales.
43. Re:Call for mass-forking of Android by macs4all · 2015-10-01 06:11 · Score: 1
  
  The reality on the ground is this: a large subset of the > 1 billion current Android devices will never be free of this vulnerability. And that's ok by the manufacturers and network providers, because it's a market opportunity.
  And it's ok by Apple, too; who are beginning to see the record-breaking hordes of jaded Android users migrate back to the relative safety (and definitely better upgrade policy!) of iOS.
44. Re:Call for mass-forking of Android by macs4all · 2015-10-01 06:14 · Score: 1
  
  Google doesn't deal directly with the telcos, except in the case of Nexus.
  Telcos buy phones from the OEMs, the OEMs license the OS from Google. Google can't force the telcos to do shit without throwing all the OEMs under the bus and making them seriously consider moving to a competing platform, or in the case of Samsung, get whole-hog behind Tizen.
  Quit making excuses for Google.
  
  They are DEFINITELY powerful enough to force a new Reseller Agreement down pretty much every OEM's throat, except maybe Samsung.
  
  And if Samsung is the sole major resistant OEM, guess what's going to happen to THEIR sales?
45. Re:Call for mass-forking of Android by MobileTatsu-NJG · 2015-10-01 06:22 · Score: 1
  
  Fragmentation is why Google is going to have a hard time containing these vulnerabilities. The number of phones that will never be fixed is shockingly high.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
46. Re:Call for mass-forking of Android by TheGratefulNet · 2015-10-01 06:25 · Score: 5, Interesting
  
  google designed a faulty os, their update model is broken, their fragmentation is a nightmare and the fact that they broke vpn's for ALL of 4.4 is NOT a carrier issue, my friend!
  I love to blame carriers, too; but vpn api being broken for a year and NOT BEING FIXED is a carrier issue to you? how in the world is that their fault when google, themselves, abandoned 4.4 for key bugfixes?
  I'm supposed to jump on 5.0 and not expect MAJOR bugs to be fixed in just a few versions back; a still-current version for most people??
  google owns this one. sorry if that goes against your narrative but vpns being broken in a whole version and never being fixed is a huge slap in the face.
  
  --
  
  --
  "It is now safe to switch off your computer."
47. Re: Call for mass-forking of Android by Anonymous Coward · 2015-10-01 06:52 · Score: 0
  
  Nope. We can get a Windows phone for considerably less. This may be the opening Microsoft needs.
48. Re: Call for mass-forking of Android by macs4all · 2015-10-01 07:18 · Score: 1
  
  Nope. We can get a Windows phone for considerably less. This may be the opening Microsoft needs.
  ...and get a considerably less valuable platform.
  
  There's a reason that people are flocking in record numbers from Android to iOS, and NOT to Windows Phone, and it ain't no "Reality Distortion Field", or other such nonsense.
49. Re: Call for mass-forking of Android by cyber-vandal · 2015-10-01 08:02 · Score: 1
  
  It's OK the market will fix it.
50. Re:Call for mass-forking of Android by NatasRevol · 2015-10-01 08:09 · Score: 1
  
  Does anyone here even SLIGHTLY believe that Google doesn't have as much negotiating leverage as Apple?
  Holy crap yes.
  Apple sells phones directly to users for the carriers.
  Google sells an OS to the phone manufacturers who customize who then sell it to the carriers who customize it some more who then sell it to the users.
  Google can't do shit to that chain. Mindbogglingly, it's actually what they wanted.
  
  --
  There are two types of people in the world: Those who crave closure
51. Re: Call for mass-forking of Android by Anonymous Coward · 2015-10-01 08:38 · Score: 1
  
  I have what was, when released, alleged the best Android device out there.
  It took the call carrier more than a year to release the first upgrade.
  At that, the update did not patch known security issues in Andrpif, even though Google had publicly teleased those security patches.
  I can rest assured that the security patch for Stagefright, on Android for that device will never come.
52. Re:Call for mass-forking of Android by MikeBabcock · 2015-10-01 08:42 · Score: 1
  
  And yet everyone who posts that fails to realize how different everyone else's view of a 'perfect' OS is. Fragmentation means we don't all have to be the same.
  
  --
  - Michael T. Babcock (Yes, I blog)
53. Re:Call for mass-forking of Android by BasilBrush · 2015-10-01 09:55 · Score: 1
  
  http://laughingsquid.com/wp-co...
54. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-01 15:47 · Score: 0
  
  I'd say the minuscule security flaws found in Android pale in comparison to the thousands of Windows security flaws released throughout the years. When Android starts seeing 200+ security patches per year then we can have this conversation.
55. Re: Call for mass-forking of Android by Karlt1 · 2015-10-01 16:09 · Score: 1
  
  When there is a security vulnerability found on Windows, I can download the patch without waiting for Dell no matter how much crapware Dell installs.
56. Re: Call for mass-forking of Android by Karlt1 · 2015-10-01 16:15 · Score: 1
  
  Google sells an OS to the phone manufacturers who customize who then sell it to the carriers who customize it some more who then sell it to the users.
  Google can't do shit to that chain. Mindbogglingly, it's actually what they wanted.
  Microsoft sells an OS to computer manufacturers who customize it and they sometimes sell them to resellers who further customize it (i.e. Best Buy). Guess what? When Microsoft provides a security update, I don't wait on Dell or Best Buy for the patch.
  When MS releases a new OS, they take responsible for creating drivers for the most common hardware. I was able to install Windows 7 on my old abandoned 2006 Core Duo Mac Mini without waiting on Apple to provide drivers.
57. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-01 17:18 · Score: 0
  
  Uhm... You know that a tens of thousands of malware / spyware apps trampled that walled garden a week or two ago, right?
  Tens of thousands? REPUTABLE Citation, please?
  Not saying that it wouldn't be nice to have a reputable citation, but it would be interesting to know what you had in mind.
  Every newspaper or journal that would write about it have a commercial interest in exaggerating the numbers.
  Every security company has a commercial interest in if not exaggerating at least doctoring the numbers in some way.
  Apple and Google aren't neutral either so any numbers from them will likely include or exclude or include large subsets that should or should not be there.
  You can try to fish around after people who sells exploits, but then again, commercial interest in exaggeration the possibilities.
  Perhaps NSA have made some investigation into the matter but I trust a random AC more than I trust them.
  I can't think of a possible source for a reputable citation, you will have to do with a citation at most and then it is up to you to take it at face value or verify yourself.
  Absolute truths are not easy to come by. Philosophers have actually made convincing arguments that they don't exists at all.
58. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-02 00:20 · Score: 0
  
  Given the choice between an ecosystem that is mostly safe with the occasional malware, so it is assumed that everything is safe and so you don't check,
  and a system that you know there is a lot of malware and so you check everything first, I know which I prefer ...
59. Re: Call for mass-forking of Android by NatasRevol · 2015-10-02 01:47 · Score: 1
  
  Google chose a different route than Apple or Microsoft. The worst of both worlds, if you will.
  That's entirely on Google.
  
  --
  There are two types of people in the world: Those who crave closure
60. Re:Call for mass-forking of Android by Lumpy · 2015-10-02 15:39 · Score: 1
  
  No it wont. You seem to not understand consumer demand.....
  Want an example? sure!
  Look at any phone running a Microsoft OS.
  
  --
  Do not look at laser with remaining good eye.
61. Re:Call for mass-forking of Android by Anonymous Coward · 2015-10-04 03:22 · Score: 0
  
  There should be ads on TV - "Buy Mac, forget about your old mental problems, welcome to wealthiest brainwashed sect sponsored by mentally challenged. Ten spam post per hour are mandatory."
Stagefright 2.0?? by Anonymous Coward · 2015-10-01 04:03 · Score: 0

heartbleed, stagefright .. who the fu** comes up with these names? Seeking the media attention huh?
1. Re:Stagefright 2.0?? by ArmoredDragon · 2015-10-01 04:26 · Score: 1, Insightful
  
  The heartbleed name made perfect sense actually. It targeted the OpenSSL Heartbeat feature, and the exploit caused it to leak sensitive data.
  I can't claim to know why stagefright got it's name though as I don't know all of the details about it.
2. Re:Stagefright 2.0?? by CimmerianX · 2015-10-01 04:27 · Score: 1
  
  Next up in the queue of names:
  "Death-by-Torture"
  "FlayedAlive"
  "Disemboweled"
  and lastly....
  "Pink-Unicorn" (just to mess with people's heads)
3. Re:Stagefright 2.0?? by xaosflux · 2015-10-01 04:43 · Score: 1
  
  This is literally a vulnerability in the "libStageFright" operating module - not a marketing term.
4. Re:Stagefright 2.0?? by Anonymous Coward · 2015-10-01 04:47 · Score: 0
  
  also ..
  "DoomFart"
  "EtherFisting" ..
5. Re:Stagefright 2.0?? by amicusNYCL · 2015-10-01 05:21 · Score: 1
  
  I believe that libstagefright in Android is the module that makes it possible to see a preview of certain MMS messages. So, if someone sends me a picture, and I open the messages app, next to their name in the conversations list I see part of the picture they sent, and of course if I click on the conversation I'll see the whole thing. I believe that libstagefright is what makes that little preview in the conversation list possible. I'm not sure why the developers chose to call that library stagefright though.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
6. Re:Stagefright 2.0?? by Tintivilus · 2015-10-01 15:19 · Score: 1
  
  Stagefright is one of the Android media libraries. It's sort of the Android analog of ffmpeg's libavcodec and libavformat
  https://android.googlesource.com/platform/frameworks/av/+/master/media/libstagefright
Re:1st! by jhesse · 2015-10-01 04:04 · Score: 1

Much like Android's patching system, you are way too late.

--

--
"I have also mastered pomposity, even if I do say so myself." -Kryten
Google gave away too much control by ilsaloving · 2015-10-01 04:06 · Score: 1

It's unfortunate that Google gave away so much control of Android. This means pretty much all Android devices are vulnerable, and unless the user has the skill and ability to install a non-vendor version of Android (eg: cyanogenmod), then these people are screwed.
Most android device manufacturers can't be bothered to release updates for their devices, and even when they do, you may still get railroaded by the carrier, leaving a very large number of devices vulnerable to who knows how many exploits. Of course, considering that Google itself has abandoned it's own devices within months of selling them, they arn't exactly a shining example either.
I'm waiting for the IoT to turn into the BoT (Botnet of Things).
1. Re:Google gave away too much control by Anonymous Coward · 2015-10-01 04:17 · Score: 0
  
  Setting aside the issue of manufacturers of Android devices not providing security and other updates for their Android-base products, one has to wonder what would happen if all of the internet-enabled light-bulbs in the worlds needed to be updated. Would that look like a DDOS against the software/firmware providers or against the internet as a whole?
2. Re:Google gave away too much control by macs4all · 2015-10-01 04:56 · Score: 0
  
  It's unfortunate that Google gave away so much control of Android. This means pretty much all Android devices are vulnerable, and unless the user has the skill and ability to install a non-vendor version of Android (eg: cyanogenmod), then these people are screwed.
  No, what's "unfortunate" (actually bordering on criminal negligence) is Google not AMENDING their OEM and Carrier Policies to be more in line with Apple's.
  
  The ONLY explanation at this point is that Google simply doesn't care about what happens to its Users, so long as the Click Revenue and Data Mining is running full-tilt-boogie.
Sigh by Anonymous Coward · 2015-10-01 04:07 · Score: 0

To me, Android is a bit like Firefox. I only use it because it sucks the least. I don't like either one.
It's open source, fix it yourself by slashdice · 2015-10-01 04:11 · Score: 1

right?

--
Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
1. Re:It's open source, fix it yourself by Anonymous Coward · 2015-10-01 04:17 · Score: 0
  
  Fixing it isn't the problem, but distributing the fix is.
2. Re:It's open source, fix it yourself by Anonymous Coward · 2015-10-01 04:43 · Score: 0
  
  Well, this is one of the beauties of open source: we're having a public conversation about it, where a security researcher can go through the code history and tell you exactly what the vulnerability's history is and where it's at.
  Private code? You just don't know--all those discussions are happening in the darknet.
  Just because you don't hear something doesn't mean it's not there.
Won't buy from Motorola or Verizon again! by PeterM+from+Berkeley · 2015-10-01 04:13 · Score: 4, Interesting

How do I inform Verizon and Motorola that I won't buy an android phone from them EVER AGAIN until they start supporting their products with security patches?
My phone STILL hasn't been patched from the first stagefright vulnerability. I've disabled functionality on the phone in order to protect it.
I'm downright upset about the lack of security fixes from Motorola/Verizon.
Seriously, how do I let those two corporations know in an effective way that they'll NEVER get another phone purchase from me until they've changed their do-nothing security practices? Not one penny!
1. Re:Won't buy from Motorola or Verizon again! by gstoddart · 2015-10-01 04:23 · Score: 4, Insightful
  
  Well ... you could picket naked outside of their offices ... you could post a stern comment on Slashdot ... you could send a stern letter to their customer service ... or you could simply not buy them.
  Except the first one, which might get you some media coverage, the remainder will all have the exact same result ... nobody will give a crap.
  Don't get me wrong, I agree with you. But one lone consumer saying they won't buy the product? Sorry, but the net result of that is precisely nil ... corporations don't care about one individual, and unless a very large amount of customers do something very vocal, nothing at all will happen.
  And those "market solutions" everybody talks about? They don't happen either, because consumers fail to care, or nobody builds the competing version and sells it in order for people to choose it.
  So, your only real solution? Buy a Nexus device. Those are the ones which always get updates. Pretty much every proprietary version will get support until the manufacturer moves on to the next model.
  
  --
  Lost at C:>. Found at C.
2. Re:Won't buy from Motorola or Verizon again! by Anonymous Coward · 2015-10-01 04:24 · Score: 0
  
  You don't and they don't care. This is why I only buy Nexus phones and use AT&T. Neither are perfect, but I left Verizon four years ago and will never go back. My Nexus phone should have an update fairly quickly, likely before the weekend is upon us.
3. Re:Won't buy from Motorola or Verizon again! by Lumpy · 2015-10-01 04:25 · Score: 1
  
  Easy, stop buying phones from them and only buy from play.google.com
  
  --
  Do not look at laser with remaining good eye.
4. Re:Won't buy from Motorola or Verizon again! by ArmoredDragon · 2015-10-01 04:31 · Score: 2
  
  You don't. Verizon just does whatever the hell they want to do.
  Though if a stagefright vulnerability made it into the wild and started bringing down Verizon's wireless infrastructure...that might trigger a reaction. Hard to say though, because the affected customers would get a high data bill, which Verizon would love. Though if they can demonstrate in a civil court that a Verizon brand phone operating within Verizons own parameters is misbehaving due to somebody the customer has no relationship to taking nefarious action, that might prompt a few lawsuits....and that too might trigger a reaction.
5. Re:Won't buy from Motorola or Verizon again! by phantomfive · 2015-10-01 04:37 · Score: 1
  
  You need to find the appropriate product manager, and inform them.
  There are people whose job it is to figure out what people want. You need to find those people and communicate with them.
  
  --
  "First they came for the slanderers and i said nothing."
6. Re:Won't buy from Motorola or Verizon again! by Anonymous Coward · 2015-10-01 04:37 · Score: 0
  
  You and 60000 other people don't buy their products. When they poll you for a reason, link here.
7. Re:Won't buy from Motorola or Verizon again! by Anonymous Coward · 2015-10-01 04:40 · Score: 0
  
  Hmm... have you purchased directly from Motorola recently? I recently bought directly through Motorola and it seems to be getting updates directly from Motorola that address these sorts of things without going through Verizon.
  The previous Motorola-Verizon phones I purchased, were iffy or stagnant about updates but I've been pleasantly surprised so far with my recent purchase. Something seems to be changing with Motorola in that regard (Verizon too, although in a different way).
8. Re:Won't buy from Motorola or Verizon again! by nnull · 2015-10-01 04:49 · Score: 1
  
  Don't forget Samsung as well who still to this date haven't really done anything with Stagefright. And Google still hasn't really completely patched against it for how long now? These phones are starting to be worse than Windows 98 full of malware and spyware.
9. Re:Won't buy from Motorola or Verizon again! by Anonymous Coward · 2015-10-01 04:51 · Score: 0
  
  You need to find the appropriate product manager, and inform them.
  There are people whose job it is to figure out what people want. You need to find those people and communicate with them.
  "inform them", "communicate with them". You mean break their legs right? Chances are, they're just another upper management sociopath who wont understand anything less.
10. Re:Won't buy from Motorola or Verizon again! by sexconker · 2015-10-01 04:51 · Score: 1
  
  Send them a comically large postcard stating this fact, take pictures as you go to mail it and post them to their corporate Twitter/Facebook/whatever.
  The text on the comically large postcard should be sarcastic and ironic. Dress it up to be like a giant check those prize patrol vans hand out. Use words and phrases like "Congratulations!" or "You have been selected to never get any of my money!" or "1,000,000,000 Devices Vulnerable!".
  The tech tabloids and "news" aggregators will pick it up and the "story" will "go viral". You may even get a glancing mention on some TV news show.
  The companies in question will pay you lip service with "We're working to improve our blah blah blah" and nothing will change. You may get a free new phone, either from the companies in question or from a competitor. I could see MS throwing the latest Windows Phone at you, or Google taking the opportunity to shill the newest Nexus. Apple would love any attention the story gets, but I'd be shocked if they'd give you a free phone.
11. Re:Won't buy from Motorola or Verizon again! by TheRaven64 · 2015-10-01 04:58 · Score: 1
  
  I bought a Moto G directly. They've shipped a fix to 'carrier partners', but it's not yet appearing for direct download.
  
  --
  I am TheRaven on Soylent News
12. Re:Won't buy from Motorola or Verizon again! by acoustix · 2015-10-01 05:00 · Score: 1
  
  Answer: class action lawsuit.
  
  --
  "A plan fiendishly clever in its intricacies"- Homer Simpson
13. Re:Won't buy from Motorola or Verizon again! by Anonymous Coward · 2015-10-01 05:08 · Score: 0
  
  What the hell are you talking about?
  http://wccftech.com/stagefright-fix-for-verizon-sprint-devices/
  Samsung's already updated their 2 year old S4... pretty sure my S5 (installed an update recently, but I turned off auto-checking and forgot to check the date) and definitely the S6 variants are all updated. and this post was last month...
14. Re:Won't buy from Motorola or Verizon again! by bill_mcgonigle · 2015-10-01 05:15 · Score: 1
  
  Easy, stop buying phones from them and only buy from play.google.com
  Has Google added any non-basic phones yet? I only have four requirements and I'd buy pretty much any phone that had them:
  1) MicroSD slot (swap cards as needed)
  2) removable battery (security)
  3) unlocked bootloader (load useful software)
  4) will activate on the VZW network (geography)
  Everything else about the phones are common enough today that I don't even care. I haven't found a single one so far that passes this basic test. Prove me wrong, Slashmind.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
15. Re:Won't buy from Motorola or Verizon again! by drinkypoo · 2015-10-01 05:15 · Score: 1
  
  I bought a Moto G directly. They've shipped a fix to 'carrier partners', but it's not yet appearing for direct download.
  Install AOSP or CM and you'll get the fix. Sadly, both are somewhat rough. Latest AOSP for titan murders my battery.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
16. Re:Won't buy from Motorola or Verizon again! by macs4all · 2015-10-01 05:20 · Score: 1
  
  So, your only real solution? Buy a Nexus device. Those are the ones which always get updates. Pretty much every proprietary version will get support until the manufacturer moves on to the next model.
  That's not your ONLY solution...
  
  And iOS almost always reaches several models back with Updates. And if they are critical Updates, sometimes even further back than usual.
17. Re:Won't buy from Motorola or Verizon again! by 0123456 · 2015-10-01 05:23 · Score: 1
  
  You don't and they don't care. This is why I only buy Nexus phones and use AT&T.
  But you can still buy a new Nexus 7 in the local electronics stores. Apparently that's getting one more OS upgrade next week, then security fixes for one more year. Then it's done.
  Google don't support their devices, either.
18. Re:Won't buy from Motorola or Verizon again! by amicusNYCL · 2015-10-01 05:28 · Score: 1
  
  While the process to buy one is kind of a pain until the company figures out their manufacture and supply issues, look at OnePlus for your next phone. The phones are not tied to any carrier, you own them outright and they sell them dirt cheap for very low margins (hence the complete lack of spare inventory standing by for you to purchase). I have a OnePlus One that is almost a year old and it's currently running Android 5.1.1 (shipped with 4.4.4 I think) plus Cyanogenmod. The current phones are running their proprietary OxygenOS instead of CM because of licensing deals gone wrong, but I would still expect regular updates from the manufacturer regardless of carrier. Just do your research to make sure it's going to work on your carrier in your country.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
19. Re: Won't buy from Motorola or Verizon again! by Anonymous Coward · 2015-10-01 05:35 · Score: 0
  
  I answer those for you. In order: some, no, yes, some.
20. Re:Won't buy from Motorola or Verizon again! by nnull · 2015-10-01 05:39 · Score: 1
  
  Note didn't get crap and a lot of unlocked samsung devices have not received any update notifications. The world doesn't all run on Verizon or Sprint.
21. Re: Won't buy from Motorola or Verizon again! by Anonymous Coward · 2015-10-01 05:42 · Score: 0
  
  I'm not joking when I say I am seriously considering going back to a Blackberry Classic. While on;y having 1% of the market, BB never suffered to BS that Apple and Google do. I don't even need an app store. I use text and email only. Everything else for me is superfluous.
22. Re:Won't buy from Motorola or Verizon again! by TheGratefulNet · 2015-10-01 05:46 · Score: 1
  
  I also valued the sd card and swappable battery. it was hard for me to convert over to an lg g2 (at a friend's request). the sd card this is not hard to deal with; a $10 OTG adapter gives you usbstick access or even micro-sd. it sticks out (dongle) but its not horrible.
  battery wise, my phone can take new batteries but its a huge issue to open the phone and dig out so many things. the batt is not soldered it, but its pretty deep inside. still, a batt change would be needed every 2 years or so and when that time comes, I'll do the $15 batt replacement. in the short term, sigh, there's always those usb batteries that are very common now.
  lg g2 bootloader is unlocked. its not a current phone but its buyable for $120 or so, refurb or clean-used, and that's not a bad deal for what was once a flagship and still is quite competitive.
  I wen with vzn, as well, due to their coverage. sucks, though, that there are different physical phone models for each carrier. even the case you buy for the phone has to match the vzn version or the att vesion. absurd!
  phones really are stupid. I blame the kids who basically don't know the history of how computers COULD be and SHOULD be, and ignored all this shared wisdom we had over the past decades (in computer theory and useability) and basically started from zero and made all those same mistakes again that could have been avoided if they only hired some folks who have been working in software for more than a year after college ;(
  thru and thru, android shows that it was not well thought out and is one kludge over another.
  is android linux? not really. take a linux admin who has lots of experience and give him an adb shell into a phone. have him poke around. are there syslog files? man pages? can you even friggin run ifconfig -a? no. nothing of the sort. its not like any linux I've been on. whatever I tried other than df, pwd, ls (and such) didn't work. its not really linux as we know it. it COULD HAVE BEEN but the children in control decided against it for some reason.
  really absurd. shame what this could have been but wasn't.
  
  --
  
  --
  "It is now safe to switch off your computer."
23. Re:Won't buy from Motorola or Verizon again! by Anonymous Coward · 2015-10-01 05:55 · Score: 0
  
  No phone I know of in the past 3 years meets all those criteria. Nexus phones lack 1 and 2 and sometimes 4 and I'm not aware of VZ phones with 1 and 2 that also have 3.
24. Re:Won't buy from Motorola or Verizon again! by b0bby · 2015-10-01 06:01 · Score: 1
  
  Motorola seems ok to me - I have an unlocked 2013 Moto X and got a Stagefright update a couple of weeks ago.
  I try to avoid Verizon if I can anyway.
25. Re:Won't buy from Motorola or Verizon again! by mlw4428 · 2015-10-01 06:03 · Score: 1
  
  Well you could take the fight club approach and blow up their HQ offices while having a plane flying by raining down leaflets telling them why it got blown up. That would probably get their attention.
26. Re:Won't buy from Motorola or Verizon again! by nevermore94 · 2015-10-01 06:17 · Score: 1
  
  What Moto phone do you have anyway? The OG Moto X recently got the fix along the with the Lollipop update and the Moto Droid Turbo just began soak tests today so it is probably coming to everyone within a week or two.
  I am a Computer Systems Engineer and an Android developer as well as the proud owner of an OG Moto X DE, and I was utterly unconcerned about the 1st Stagefright vulnerability because of ASLR protection. With Stagefright 2.0 they claim they can get around ASLR, but this has yet to be proven by a 3rd party as far as I am aware. Anyway, it can all be mitigated by disabling auto-loading of MMS, which is what I assume you mean by "disabled functionality", which is how I have always configured my phones because I hate when someone texts you any random video and it automatically starts playing without your approval.
  
  --
  Nevermore.
27. Re:Won't buy from Motorola or Verizon again! by Anonymous Coward · 2015-10-01 06:31 · Score: 0
  
  People who don't know will continue to give them money. You fix the problem like you fix almost every other problem in life - by educating the masses.
  Any other choice you alone make will end up making no difference at all.
28. Re:Won't buy from Motorola or Verizon again! by thegarbz · 2015-10-01 06:57 · Score: 1
  
  My phone STILL hasn't been patched from the first stagefright vulnerability. I've disabled functionality on the phone in order to protect it.
  Protect it from what? If your phone was made in the past 3 years it likely has a version of Android that implements ASLR which severely limits what arbitrary code execution can do on a device. This is espeically important given the insane fragmentation of Android which makes all but the most targeted of attacks quite useless and even then they are very difficult. End result is that no one has been able to show that Stagefright is being actively exploited in the wild.
  This has all been a very big yawn, and I don't feel very insecure at all.
29. Re:Won't buy from Motorola or Verizon again! by thegarbz · 2015-10-01 06:58 · Score: 1
  
  Perfect example of a cure that is worse than the disease.
30. Re:Won't buy from Motorola or Verizon again! by macs4all · 2015-10-01 07:24 · Score: 0
  
  Perfect example of a cure that is worse than the disease.
  Really?
  
  Tell me that when you're personal info is siphoned-off by the next cool Android App you sideload (or even get from Google Play).
  
  Ya know, it's not the "Hello Kitty" wallpaper-type Apps that are obvious to spot when they ask for every Permission in the world; its the ones that SEEMINGLY have a perfectly-legitimate reason for wanting to see your phone-state, etc. that actually use that Permission nefariously that are the hard one's to catch.
  
  Yes, that is possible on iOS; but history shows that, for whatever reason, the combination of fine-grained (and easily revokable) Permissions, and whatever Apple does as part of its Approval Process has resulted in an almost completely-sterile ecosystem.
31. Re:Won't buy from Motorola or Verizon again! by thegarbz · 2015-10-01 07:46 · Score: 1
  
  I wish them luck. There's very little personal info on my highly volatile and easy to use device which none the less I keep without a unlock code so it can easily be returned by a good Samaritan. But really that's beside the point if you think that somehow I run around installing useless shit on my phone for kicks. As for side loading the only app I side loaded was F-droid, an open source app store.
  Also if history has shown that iOS is somehow magically immune to rogue programs then you need your prescription checked.
  But really some of us would just prefer not to switch to Apple simply because we don't want to be associated with religious zealots like yourself who believe in the power of Jobs the almighty profit to protect you from the evils of the world. And no I didn't make a spelling mistake just now.
  Personally I don't let my mother chose my sexual partners, instead I wear a condom to keep me virus free.
32. Re:Won't buy from Motorola or Verizon again! by Rigel47 · 2015-10-01 23:57 · Score: 1
  
  Seriously just buy a damned blackberry.. I've been using my z10 for three years now and have no real interest in upgrading it. Sure a better camera could be nice but it runs smooth as butter, has amazing battery life, I can side-load most android apps (I don't really need to though), has the best messaging platform (the hub) bar none, the best multi-tasking capabilities out there, and best of all.. I don't have to worry about this constant drumroll of security flaws found in android and iOS.
33. Re:Won't buy from Motorola or Verizon again! by gstoddart · 2015-10-02 01:23 · Score: 2
  
  That's not your ONLY solution...
  GP talks about Android, story is about Android ... and you spout off about iOS.
  Sorry, thanks for playing ... here's a lovely parting gift.
  Look, I have both Android and iOS devices. But, honestly, randomly saying "yarg, use teh Apple" is kind of pointless here.
  And, quite frankly, having had Apple upgrade my original iPad to the point of uselessness and then abandon it, I'm not willing to update my iPod touch ... because I no longer trust Apple to not fuck up my device and then tell me I'm not supported.
  
  --
  Lost at C:>. Found at C.
34. Re:Won't buy from Motorola or Verizon again! by rail2rail · 2015-10-02 05:29 · Score: 1
  
  GP talks about a mobile devices operating system, story is about a mobile device operating system ... and this guy dares spout off about an OS for a mobile device. THE NERVE.
Textra Protection? by Anonymous Coward · 2015-10-01 04:54 · Score: 0

The MMS/SMS app Textra has offered "stagefright protection" since stagefright1.0 was a think. Does this service offer any protection against 2.0?
lol by Anonymous Coward · 2015-10-01 05:52 · Score: 0

I like how an Android bug is
"over 1 billion affected"
while i bugs like the font and pdf bugs are:
"hey, we can jailbreak, cool!" Never mentions numbers affected unless it's 10k or less.
Longtime Android user, but contemplating Apple by Fencepost · 2015-10-01 06:32 · Score: 1

The fact that these and the previous Stagefright bugs and others like them will never be fixed on most of the affected handsets, along with other nice things I'm hearing about the newer iPhones have me contemplating something that a year ago would have been anathema.

I may actually end up switching to an iPhone this fall instead of a new Android phone.

That may depend on some other things like root availability and CyanogenMod planning for possible handsets, but even with those a lot of the nice things on Android seem to be a product of the data being stored on Google's servers, while the impression I've gotten is that much more of Siri's appointment, etc. capabilities are managed at the point where it has access to the calendar - on the phone itself. I'm not feeling like I'll lose a lot of application capabilities since most apps on Android are going to have at least one solid corresponding app on iOS (in contrast to Windows Phone where I'm not sure there's even a really good text editor, much less a code editor).

--
fencepost
just a little off
move to an MVNO, root, trash their apps by emil · 2015-10-01 07:13 · Score: 1

I need access to Verizon towers because it is the only signal that I can get at work.
I first signed up with Page Plus Cellular, then moved to Tracfone after the America Movil buyout. I finally upgraded to a 4g device six months ago.
I can't run cyanogenmod because of Verizon's fascist bootloader locking. I do run an alternate touchwiz rom, and I have purged everything from it that mentioned Verizon.
And when Verzion shows up in my Facebook feed, I ask them why they lock their bootloaders and FORCE their users to run exploitable software, reminding them that Cyanogenmod nightlies has fixes, but Verizon doesn't and never will. It's also useful to speculate on a class action lawsuit after their userbase is owned.
Windows phones by Anonymous Coward · 2015-10-01 08:03 · Score: 0

Microsoft is missing a huge opportunity. Windows phones = no stagefright.
1. Re:Windows phones by Anonymous Coward · 2015-10-01 15:51 · Score: 0
  
  Windows phones = no apps, no developers, no future.
Not that worried by Lawrence_Bird · 2015-10-01 08:33 · Score: 0

Stagefright 1.0, however, was exploited via a specially crafted MMS message which were at the time automatically processed by Stagefright. Google’s patch means Stagefright no longer does so, especially in new versions of Google’s Messenger and Hangouts apps. With Stagefright 2.0, Avraham said the most logical attack vector would be the mobile browser where an attacker tricks the victim via phishing or malvertising to visit a URL hosting the exploit. An attacker could also inject the exploit via a man-in-the-middle attack, or host a malicious third-party app that uses the vulnerable library.
If you are really scared about MMS its pretty easy to fubar the settings to enable delivery of MMS messages. No big loss in the age of whatsapp, kik, line.
On the new variant it seems no different than desktop. Don't click links or view pages that may be dodgy. Don't download a ton of shit apps. And if someone is bothering to MITM you, problems are deeper than the exploit.