Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices

msm1267 writes: Security researcher Joshua Drake today disclosed two more flaws in Stagefright, one that dates back to the first version of Android, and a second dependent vulnerability that was introduced in Android 5.0. The bugs affect more than one billion Android devices, essentially all of them in circulation. One of the vulnerabilities was found in a core Android library called libutils; it has been in the Android OS since it was first released and before there were even Android mobile devices. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities. Google has released patches into the Android Open Source Project tree, but public patches are not yet available.

Call for mass-forking of Android

[TheDarkener]

One of the great strengths of GNU/Linux is its diversity. Like biological life, it is constantly changing, morphing and becoming something new. And also like biological life, constantly changing helps protect against "bad stuff".

I hereby call for a "fork-fest" of Android - everybody make your own distribution of Android, remove code, add code, make it different. Android is sort of lip-service to the open source ecosystem. I'm not saying that this vulnerability is a result of that lip service, but I'd really like to see many, many other versions of Android out there - it's inevitable that the whole will become stronger because of it.

Because if everyone ate the same food we'd all probably die from the next super-virus that makes its rounds.

Re:Call for mass-forking of Android

[tripleevenfall]

Fragmentation is one of Android's weaknesses, not a strength.

Calling for more fragmentation makes no sense. It would leave people stuck on islands where features lag behind, incompatibilities abound, and no fixes will be available for future vulnerabilities. Fragmentation makes the problem worse, not better.

The point isn't to emulate a walled garden, nor is it to have everyone brew their own a la Linux. The point is to make the user experience close to the simplicity and compatibility of the walled garden, while still preserving the open platform.

Re:Call for mass-forking of Android

[tripleevenfall]

The carriers are only going to do the minimum for each device. Why would they invest development time in a device that isn't for sale anymore?

Re:Won't buy from Motorola or Verizon again!

[gstoddart]

Well ... you could picket naked outside of their offices ... you could post a stern comment on Slashdot ... you could send a stern letter to their customer service ... or you could simply not buy them.

Except the first one, which might get you some media coverage, the remainder will all have the exact same result ... nobody will give a crap.

Don't get me wrong, I agree with you. But one lone consumer saying they won't buy the product? Sorry, but the net result of that is precisely nil ... corporations don't care about one individual, and unless a very large amount of customers do something very vocal, nothing at all will happen.

And those "market solutions" everybody talks about? They don't happen either, because consumers fail to care, or nobody builds the competing version and sells it in order for people to choose it.

So, your only real solution? Buy a Nexus device. Those are the ones which always get updates. Pretty much every proprietary version will get support until the manufacturer moves on to the next model.

Re:Stagefright 2.0??

[ArmoredDragon]

The heartbleed name made perfect sense actually. It targeted the OpenSSL Heartbeat feature, and the exploit caused it to leak sensitive data.

I can't claim to know why stagefright got it's name though as I don't know all of the details about it.