Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices

msm1267 writes: Security researcher Joshua Drake today disclosed two more flaws in Stagefright, one that dates back to the first version of Android, and a second dependent vulnerability that was introduced in Android 5.0. The bugs affect more than one billion Android devices, essentially all of them in circulation. One of the vulnerabilities was found in a core Android library called libutils; it has been in the Android OS since it was first released and before there were even Android mobile devices. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities. Google has released patches into the Android Open Source Project tree, but public patches are not yet available.

Re:Call for mass-forking of Android

[TheGratefulNet]

I continue to hate on google.

a friend convinced me to try a 'new' android phone (older used one but a few gens back so its now affordable). my one and only android, the N1, is stuck at 2.2 or something equally ancient and I'm tired of that being such a POS.

refurb phone came with 4.4. I rooted it (lg g2) and installed twrp recovery (not easy at all, for some reason) and then a custom rom based on 4.4, supposedly with lots of fixes.

I then find out that vpn is broken (by design) in ALL 4.4 codebases. everyone complains about this, if you search on it. google broke an api or something and nothing works anymore for vpn.

I bought a 2nd phone of the same type as a spare. that one came with 5.0 installed. tried the custom rom for that version and vpn works; but the led indicator won't work (at all) for newmail or unaswered calls.

so, I get to pick which version I run; broken vpn but all else (mostly) working or broken led but vpn does work.

sigh. this was supposed a good phone, too. its been out long enough so it should be stable but its not. god know what else is broken but I have not found it yet.

stock os is not any better and has bloat which needed to be removed, anyway.

when I searched for the vpn issue, it seems that google has left this open for more than a year, unfixed! their reply: essentially saying 'go to 5.x and abandon 4.x'.

great. just great. I can do that but many others can't, and the led indicator is broken on 5.x, with no fix in sight that I can find.

android is a fucking mess. a total steaming pile of shit. the reason people put up with this is because there are not many other choices. few want any part of MS anymore, many (like me) don't love apple; and so there's nothing really left anymore but android ;(

a year and no vpn fixes. 4.3 worked (from what I've read). 4.4.* broke it. there is nothing newer than that in the 4.x train (is there?). 5.x is a mess, as well.

this does not even address the security issue (SF). if I want a fix for this, I'm essentially on my own. I have not seen any fixes for this phone yet and since its 'old' now, I doubt I will.

thanks google. you are THE 'short attention span' poster child of the century. you have the talent to be a good vendor but you seem to not care! how sad. strong ability but you lack focus and you give up on things PEOPLE ACTUALLY USE and just move onto the next shiny thing.

sigh. android will continue to be a mess and a nexus does not guarantee anything about patches or support. google just has no reason to care about you. they don't get paid by you, they are not working for you and whatever they throw over the wall, the fanboys will think its great no matter what.