Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices

Posted by timothy on from the imagine-the-whole-audience-is-naked dept.

msm1267 writes: Security researcher Joshua Drake today disclosed two more flaws in Stagefright, one that dates back to the first version of Android, and a second dependent vulnerability that was introduced in Android 5.0. The bugs affect more than one billion Android devices, essentially all of them in circulation. One of the vulnerabilities was found in a core Android library called libutils; it has been in the Android OS since it was first released and before there were even Android mobile devices. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities. Google has released patches into the Android Open Source Project tree, but public patches are not yet available.

2 of 123 comments (clear)

  1. Won't buy from Motorola or Verizon again! by PeterM+from+Berkeley · · Score: 4, Interesting

    How do I inform Verizon and Motorola that I won't buy an android phone from them EVER AGAIN until they start supporting their products with security patches?

    My phone STILL hasn't been patched from the first stagefright vulnerability. I've disabled functionality on the phone in order to protect it.

    I'm downright upset about the lack of security fixes from Motorola/Verizon.

    Seriously, how do I let those two corporations know in an effective way that they'll NEVER get another phone purchase from me until they've changed their do-nothing security practices? Not one penny!

  2. Re:Call for mass-forking of Android by TheGratefulNet · · Score: 5, Interesting

    google designed a faulty os, their update model is broken, their fragmentation is a nightmare and the fact that they broke vpn's for ALL of 4.4 is NOT a carrier issue, my friend!

    I love to blame carriers, too; but vpn api being broken for a year and NOT BEING FIXED is a carrier issue to you? how in the world is that their fault when google, themselves, abandoned 4.4 for key bugfixes?

    I'm supposed to jump on 5.0 and not expect MAJOR bugs to be fixed in just a few versions back; a still-current version for most people??

    google owns this one. sorry if that goes against your narrative but vpns being broken in a whole version and never being fixed is a huge slap in the face.

    --

    --
    "It is now safe to switch off your computer."