Slashdot Mirror
Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices
msm1267 writes: Security researcher Joshua Drake today disclosed two more flaws in Stagefright, one that dates back to the first version of Android, and a second dependent vulnerability that was introduced in Android 5.0. The bugs affect more than one billion Android devices, essentially all of them in circulation. One of the vulnerabilities was found in a core Android library called libutils; it has been in the Android OS since it was first released and before there were even Android mobile devices. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities. Google has released patches into the Android Open Source Project tree, but public patches are not yet available.
It's always been the audience that scares me, not the stage.
Yeah! Let's have loads of different new vulnerabilities to deal with. And the fragmentation of different versions of Android isn't enough, so let's add a fuckton of forked versions into the mix to spice things up.
Inevitable that the whole will become stronger? Android (hardly forked) is wildly successful as is, Linux (heavily forked) is wildly unsuccessful on the desktop. Let's please not take Android down the path of desktop Linux.
Jeez. It'd be less fork-fest and more bug-kakke.
(sorry, just had to slip that one in).
How do I inform Verizon and Motorola that I won't buy an android phone from them EVER AGAIN until they start supporting their products with security patches?
My phone STILL hasn't been patched from the first stagefright vulnerability. I've disabled functionality on the phone in order to protect it.
I'm downright upset about the lack of security fixes from Motorola/Verizon.
Seriously, how do I let those two corporations know in an effective way that they'll NEVER get another phone purchase from me until they've changed their do-nothing security practices? Not one penny!
Fragmentation is one of Android's weaknesses, not a strength.
Calling for more fragmentation makes no sense. It would leave people stuck on islands where features lag behind, incompatibilities abound, and no fixes will be available for future vulnerabilities. Fragmentation makes the problem worse, not better.
The point isn't to emulate a walled garden, nor is it to have everyone brew their own a la Linux. The point is to make the user experience close to the simplicity and compatibility of the walled garden, while still preserving the open platform.
The carriers are only going to do the minimum for each device. Why would they invest development time in a device that isn't for sale anymore?
My M8 is running Android 5.0.1, not the latest, but not what it was born with (4.4.2).
Lots of phones get updates, but lots of lower performance phones do not, for obvious reasons. And unpopular phones ditto.
The carriers do abandon phones regularly, but not universally.
deleting the extra space after periods so i can stay relevant, yeah.
It will also force them to find a new platform.
Do you thing either the OEMs or the carriers are going to stop doing this?
Brand differentiation, monetization, vendor lock in ... all of these things say these companies have no interest in selling a vanilla version of Android. What's in it for them? Samsung has their own store, their own apps and ecosystem, and want people locked into Samsung.
I agree with the sentiment, but if you think it'll happen you're kidding yourself.
Lost at C:>. Found at C.
Practically all medium to high-end devices got their first StageFright patch faster than APL fixes their bugs LOL
I think my phone got it last week. But I'm not sure, because my carrier doesn't even tell me what bugs their new OS updates have fixed. I may or may not have if on my Nexus 7. I know I don't have it on any of my other Android devices, because manufacturers have abandoned them.
I know I got the latest Apple bug-fixes on my iPad, because it downloaded last night, and said what it fixed.
Android security updates are a complete clusterfsck. Enough that my next phone is more likely to be Windows than Android (but more likely to be Apple than either).
Uhm... You know that a tens of thousands of malware / spyware apps trampled that walled garden a week or two ago, right?
Tens of thousands? REPUTABLE Citation, please?
There has been a bunch of apps that should not have been allowed on the store but made it in on top of that (even though they were found useful, but that's not the point)... things like the secret flashlight tethering app a couple years ago, that security researcher who had 10-100k users download his potentially malicious command-and-control center?
Are you seriously still believing that i things are immune to malware?
I (and Apple) never said iOS Devices are IMMUNE from Malware; but I think that iOS' track record in that regard speaks for itself.
Plus, I love the way that Fandroids keep harping on the VERY few examples of things slipping past (having to go back YEARS to find one or two examples of Trojans that made it through Apple's Approval Process, and blithely IGNORE the metric buttload of (also see the links in that article) malware-containing Apps in the Android ecosystem, a good number of which are, or until recently, when Google started getting more serious about vetting Apps, were available in the Play Store.
Probably market dynamics. Google doesn't have relationships directly with carriers except for with the Nexus devices. The carriers deal with the OEMs, and the OEMs deal with Google. Google has all the muscle, and none of the standing to get it done. The OEMs have none of the muscle, but all of the standing.
As Apple plays both the part of Google and OEM in their ecosystem, they have both the muscle and standing.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
google designed a faulty os, their update model is broken, their fragmentation is a nightmare and the fact that they broke vpn's for ALL of 4.4 is NOT a carrier issue, my friend!
I love to blame carriers, too; but vpn api being broken for a year and NOT BEING FIXED is a carrier issue to you? how in the world is that their fault when google, themselves, abandoned 4.4 for key bugfixes?
I'm supposed to jump on 5.0 and not expect MAJOR bugs to be fixed in just a few versions back; a still-current version for most people??
google owns this one. sorry if that goes against your narrative but vpns being broken in a whole version and never being fixed is a huge slap in the face.
--
"It is now safe to switch off your computer."