Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices

msm1267 writes: Security researcher Joshua Drake today disclosed two more flaws in Stagefright, one that dates back to the first version of Android, and a second dependent vulnerability that was introduced in Android 5.0. The bugs affect more than one billion Android devices, essentially all of them in circulation. One of the vulnerabilities was found in a core Android library called libutils; it has been in the Android OS since it was first released and before there were even Android mobile devices. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities. Google has released patches into the Android Open Source Project tree, but public patches are not yet available.

Stagefright

[tripleevenfall]

It's always been the audience that scares me, not the stage.

Re:Call for mass-forking of Android

Yeah! Let's have loads of different new vulnerabilities to deal with. And the fragmentation of different versions of Android isn't enough, so let's add a fuckton of forked versions into the mix to spice things up.

Inevitable that the whole will become stronger? Android (hardly forked) is wildly successful as is, Linux (heavily forked) is wildly unsuccessful on the desktop. Let's please not take Android down the path of desktop Linux.

Jeez. It'd be less fork-fest and more bug-kakke.

(sorry, just had to slip that one in).