Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices

msm1267 writes: Security researcher Joshua Drake today disclosed two more flaws in Stagefright, one that dates back to the first version of Android, and a second dependent vulnerability that was introduced in Android 5.0. The bugs affect more than one billion Android devices, essentially all of them in circulation. One of the vulnerabilities was found in a core Android library called libutils; it has been in the Android OS since it was first released and before there were even Android mobile devices. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities. Google has released patches into the Android Open Source Project tree, but public patches are not yet available.

Stagefright

[tripleevenfall]

It's always been the audience that scares me, not the stage.

Re:Call for mass-forking of Android

Yeah! Let's have loads of different new vulnerabilities to deal with. And the fragmentation of different versions of Android isn't enough, so let's add a fuckton of forked versions into the mix to spice things up.

Inevitable that the whole will become stronger? Android (hardly forked) is wildly successful as is, Linux (heavily forked) is wildly unsuccessful on the desktop. Let's please not take Android down the path of desktop Linux.

Jeez. It'd be less fork-fest and more bug-kakke.

(sorry, just had to slip that one in).

Won't buy from Motorola or Verizon again!

[PeterM+from+Berkeley]

How do I inform Verizon and Motorola that I won't buy an android phone from them EVER AGAIN until they start supporting their products with security patches?

My phone STILL hasn't been patched from the first stagefright vulnerability. I've disabled functionality on the phone in order to protect it.

I'm downright upset about the lack of security fixes from Motorola/Verizon.

Seriously, how do I let those two corporations know in an effective way that they'll NEVER get another phone purchase from me until they've changed their do-nothing security practices? Not one penny!

Re:Won't buy from Motorola or Verizon again!

[gstoddart]

Well ... you could picket naked outside of their offices ... you could post a stern comment on Slashdot ... you could send a stern letter to their customer service ... or you could simply not buy them.

Except the first one, which might get you some media coverage, the remainder will all have the exact same result ... nobody will give a crap.

Don't get me wrong, I agree with you. But one lone consumer saying they won't buy the product? Sorry, but the net result of that is precisely nil ... corporations don't care about one individual, and unless a very large amount of customers do something very vocal, nothing at all will happen.

And those "market solutions" everybody talks about? They don't happen either, because consumers fail to care, or nobody builds the competing version and sells it in order for people to choose it.

So, your only real solution? Buy a Nexus device. Those are the ones which always get updates. Pretty much every proprietary version will get support until the manufacturer moves on to the next model.

Re:Call for mass-forking of Android

[tripleevenfall]

Fragmentation is one of Android's weaknesses, not a strength.

Calling for more fragmentation makes no sense. It would leave people stuck on islands where features lag behind, incompatibilities abound, and no fixes will be available for future vulnerabilities. Fragmentation makes the problem worse, not better.

The point isn't to emulate a walled garden, nor is it to have everyone brew their own a la Linux. The point is to make the user experience close to the simplicity and compatibility of the walled garden, while still preserving the open platform.

Re:Call for mass-forking of Android

[tripleevenfall]

The carriers are only going to do the minimum for each device. Why would they invest development time in a device that isn't for sale anymore?

Re:Call for mass-forking of Android

[macs4all]

Uhm... You know that a tens of thousands of malware / spyware apps trampled that walled garden a week or two ago, right?

Tens of thousands? REPUTABLE Citation, please?

There has been a bunch of apps that should not have been allowed on the store but made it in on top of that (even though they were found useful, but that's not the point)... things like the secret flashlight tethering app a couple years ago, that security researcher who had 10-100k users download his potentially malicious command-and-control center?

Are you seriously still believing that i things are immune to malware?

I (and Apple) never said iOS Devices are IMMUNE from Malware; but I think that iOS' track record in that regard speaks for itself.

Plus, I love the way that Fandroids keep harping on the VERY few examples of things slipping past (having to go back YEARS to find one or two examples of Trojans that made it through Apple's Approval Process, and blithely IGNORE the metric buttload of (also see the links in that article) malware-containing Apps in the Android ecosystem, a good number of which are, or until recently, when Google started getting more serious about vetting Apps, were available in the Play Store.

Re:Call for mass-forking of Android

[TheGratefulNet]

google designed a faulty os, their update model is broken, their fragmentation is a nightmare and the fact that they broke vpn's for ALL of 4.4 is NOT a carrier issue, my friend!

I love to blame carriers, too; but vpn api being broken for a year and NOT BEING FIXED is a carrier issue to you? how in the world is that their fault when google, themselves, abandoned 4.4 for key bugfixes?

I'm supposed to jump on 5.0 and not expect MAJOR bugs to be fixed in just a few versions back; a still-current version for most people??

google owns this one. sorry if that goes against your narrative but vpns being broken in a whole version and never being fixed is a huge slap in the face.