Google Patches More Stagefright Vulnerabilities In Android (threatpost.com)

← Back to Stories (view on slashdot.org)

Google Patches More Stagefright Vulnerabilities In Android (threatpost.com)

Posted by samzenpus on Monday November 2, 2015 @10:08AM from the raise-shields dept.

msm1267 writes: The Stagefright vulnerabilities are the gifts that keep on giving. Months after the potentially devastating security flaws in the mobile OS were publicly disclosed, Google continues to send out patches addressing vulnerabilities related to the initial reports. Today's monthly Android security bulletin includes a fix for another flaw in the Stagefright media playback engine, one in libutils where the Stagefright 2.0 vulnerabilities were found, and two in Android Mediaserver where all the vulnerable code runs. The over-the-air update was released today to Google's Nexus devices and will be added to the Android Open Source Project (AOSP) repository in the next two days; Google partners including Samsung were provided the patches on Oct. 5, Google said, adding that the vulnerabilities are patched in Build LMY48X or later, or in Android Marshmallow with a patch level of Nov. 1.

56 comments

Min score:

Reason:

Sort:

And carriers like Verizoned are where? by Anonymous Coward · 2015-11-02 10:09 · Score: 2, Insightful

And how many months if EVER will Verizon and carriers send out these updates? I'm still waiting for the last 3 patches that they haven't done shit about.
1. Re:And carriers like Verizoned are where? by colin_faber · 2015-11-02 10:18 · Score: 2
  
  I'm in the same boat with AT&T and a year old S5 Active. But I can tell you this, I regularly get samsung security updates to ensure I'm not doing anything naughty to my phone.
2. Re:And carriers like Verizoned are where? by silverkniveshotmail. · 2015-11-02 10:40 · Score: 4, Insightful
  
  It's important that you don't do anything shady like uninstall Facebook.
3. Re:And carriers like Verizoned are where? by alvinrod · 2015-11-02 10:48 · Score: 1
  
  Until there's an actual wide-scale exploit that hits vulnerable users, the carriers aren't going to care. They'd rather sell you a new phone and contract than keep supporting old devices that are off contract.
  
  Even though there seem to be a fair amount of vulnerabilities and Android is the leading platform for most, if not all of the world, there really haven't been any huge exploits or massive attacks similar to what we saw back in the heyday of Windows and any large outbreaks that have occurred seem mostly limited to China.
4. Re: And carriers like Verizoned are where? by Anonymous Coward · 2015-11-02 13:01 · Score: 0
  
  What makes me nervous is not so much a specific vulnerability; but that a media rendering library was shipped with permissions worth exploiting; and in such a state of 'quality' that restarting silently every 5 seconds if crashed(which turns out to allow attacks against weak ASLR) was acceptable.
  I realize that dealing with every last dysfunctional implementation of some proprietary implementation of a fucked-up container/codec combo is hard; but that is a good argument in favor of making damn sure that the process handed that problem is cleanly expendable and of no worth to an attacker.
5. Re:And carriers like Verizoned are where? by Anonymous Coward · 2015-11-03 02:27 · Score: 0
  
  No need to update android (for now), just switch the default sms app
  use SMSSecure
  https://github.com/WhisperSyst...
6. Re:And carriers like Verizoned are where? by macs4all · 2015-11-03 10:18 · Score: 1
  
  Until there's an actual wide-scale exploit that hits vulnerable users, the carriers aren't going to care. They'd rather sell you a new phone and contract than keep supporting old devices that are off contract. Even though there seem to be a fair amount of vulnerabilities and Android is the leading platform for most, if not all of the world, there really haven't been any huge exploits or massive attacks similar to what we saw back in the heyday of Windows and any large outbreaks that have occurred seem mostly limited to China.
  Pray tell, how can you KNOW that your personal data hasn't been siphoned off your Android (besides leaving it "off" in the drawer, or in "Airplane Mode")?
  
  Unlike in the 90s, pretty much ALL exploits want to do is suck down your personal data, not delete it. The former is fairly hard for the average person to discover, until it's far, far too late...
Google should have used APPS! by Anonymous Coward · 2015-11-02 10:32 · Score: 0, Funny

Google used LUDDITE software called Stagefright, which is why Android is so insecure! If they used APP frameworks like AppMedia and AppApp, it would be 100% secure, because only apps can app apps!

Apps!
Nexus not the first? by viperidaenz · 2015-11-02 10:34 · Score: 1

Is this the same patch Motorola release the other week for Moto X 2014 devices? It said it was a fix for some Stagefright vulnerabilities
1. Re:Nexus not the first? by meadow · 2015-11-02 15:10 · Score: 2
  
  In all the conversation so far no one bothered to post anything about how to actually verify if the vulnerability exists on a system or whether anyone is offering a vulnerability scanner for this.
  
  The best scanner I've seen so far for previous versions of Stagefright vulnerabilities is this one.
2. Re:Nexus not the first? by meadow · 2015-11-02 16:32 · Score: 1
  
  Wouldn't it be the case that, for people with rooted devices, patching the vulnerability would be as simple as copying a couple library files into /system/lib or somewhere?
  
  Or is it that no one wants to advertise this basic fact because they don't want people to root devices? Obviously if the fix is that simple and straightforward on rooted devices, it screams against the propaganda they want to force everyone to think.
3. Re:Nexus not the first? by macs4all · 2015-11-03 10:21 · Score: 1
  
  Wouldn't it be the case that, for people with rooted devices, patching the vulnerability would be as simple as copying a couple library files into /system/lib or somewhere?
  So what about the other 99.999999999999999999999999999% of Android users that wouldn't know how to Root their phone, or even what that means, if their lives literally depended on it?
4. Re:Nexus not the first? by meadow · 2015-11-03 11:11 · Score: 1
  
  I wasn't trying to say that everyone should root their phone but just that rooting should be more accepted by vendors, governments, or others since there are really good reasons for it. Seems like were always under threat against some kind of draconian lockdown imposed by carriers/vendors/governments against having full control over the devices we own and operate. Just because we are purchasing wireless bandwidth doesn't give them the right to deprive us of our freedom.
Google programmers need to read the book by phantomfive · 2015-11-02 10:40 · Score: 1

Google programmers should read this book.
They can do much better at avoiding bugs than they are now.

--
"First they came for the slanderers and i said nothing."
1. Re:Google programmers need to read the book by bigwheel · 2015-11-02 10:59 · Score: 1
  
  I was about to write a disparaging remark before reading the reviews. The author's page also has lots of relevant info.
2. Re:Google programmers need to read the book by Dutch+Gun · 2015-11-02 12:51 · Score: 3, Interesting
  
  I might have purchased a copy of that book if there was actually an e-book version of it.
  Anyhow, it's important to point out that security bugs aren't exactly like typical bugs. You can't test for security using unit tests... it's something that needs to happen in an audit. You need to be actively searching for ways to break code, and you need to know the techniques with which this is usually done. Most programmers are not trained how to do this. Do you think anyone actually tried to fuzz-test this library? I wonder.
  Allowing a multimedia library to play downloaded, untrusted content as elevated privileges is a pretty obvious problem in hindsight. We've seen flaws in many other internet-facing multimedia rendering or playback libraries before. libstagefright is now going to undergo some intense scrutiny by both hackers and security firms alike - I'd be surprised if this is the last we hear of this.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
3. Re:Google programmers need to read the book by phantomfive · 2015-11-02 13:00 · Score: 1
  
  Anyhow, it's important to point out that security bugs aren't exactly like typical bugs. You can't test for security using unit tests
  Security in general is hard, but we're seeing a lot of basic errors that shouldn't be happening. In some cases, if Google had merely read the warning output from the compiler, they would have found bugs.
  
  Once people start even thinking about security, then we can move onto higher techniques, like proofs and contracts, to remove even more bugs.
  
  Do you think anyone actually tried to fuzz-test this library? I wonder.
  I seriously doubt it originally, but it looks like Google has some people trying that sort of thing now.
  
  --
  "First they came for the slanderers and i said nothing."
4. Re:Google programmers need to read the book by GuB-42 · 2015-11-02 23:12 · Score: 1
  
  Compiler warnings wouldn't have helped in the case of stagefright bugs (looking at a few patches). Even cppcheck was silent.
  As for fuzzing, Google made its own fuzzers: bunny-the-fuzzer followed by american-fuzzy-lop. The first one was started in 2007, at about the same time Android 1.0 came out. So Google was obviously no stranger to the concept of fuzz-testing.
  Why did the bugs slipped by? One can only guess. Maybe the stagefright team was a bit rushed and didn't do all formal testing required, maybe the bugs really were hard to find, maybe they focused on optimization rather than safety (media libraries typically require efficient code), maybe their test environment was badly configured, ... so many possibilities.
5. Re:Google programmers need to read the book by fuzzyfuzzyfungus · 2015-11-02 23:54 · Score: 2
  
  Given that the (deliberately configured, 'as designed') behavior for stagefright was to silently restart every 5 seconds if it crashed, I can only assume that there was some internal pessimism about the robustness of the library.
  
  I don't doubt that dealing with all the various ghastly corner cases in codecs and container formats was deeply unpleasant; but it is worrisome that priority was apparently given to avoiding the appearance of failure, rather than really clamping down on what such a dangerously unpredictable part of the system was allowed to do; and when it could silently retry, rather than rejecting input.
6. Re:Google programmers need to read the book by squiggleslash · 2015-11-03 03:39 · Score: 1
  
  I might have purchased a copy of that book if there was actually an e-book version of it.
  
  Well, you see there's your first problem. Pages 7-14 describe the clear dangers of using ebooks, where hackers can make use of common buffer overflow exploits in PDF (and other e-reader formats) renderer implementations to take over your device and use it to inject vulnerabilities into your code.
  But wait, before you buy from Amazon, make sure you're aware of the advice in pages 111-191. Entering your credit card number online can result in it being intercepted by keyloggers, fake web browsers, fake proxies (your side), fake Wi-fi hubs, hacked routers, hacked servers at Amazon (web, database, etc), and even rogue employees.
  And before you get your coat to go down the street to the local Barnes and Noble to order the book, are you sure that's safe? Pages 567 and 590 cover how your credit card and other details can be taken over using a simple RFID hack that many credit cards are vulnerable to. Before getting your wallet, consider, do you have cash?
  And be careful to carry enough change. If you overpay the cashier for the book, you may be vulnerable to the hack detailed in pages 892 and 893, whereby the cashier gives you forged money as change, that's almost impossible to tell is forged until you try to spend it.
  But that's not all, page 985 and 986 detail another vulnerability in the "Going to the store to buy the book and paying in exact change" method of online purchasing. As you leave the store, a gentleman wanders up to you asking you for a "light" (a way to ignite a cigarette, a drug popular in the 20th Century whose popularity has diminished because of health fears), but his accomplice sneaks up behind you while you're distracted, whacks you over the head, and when you come to, you'll find they've stolen the book.
  In other words, be careful.
  BTW, while you were reading this I employed the technique on pages 319-331, and now have your credit card and social security number. Ha ha, sucker!
  
  --
  You are not alone. This is not normal. None of this is normal.
7. Re:Google programmers need to read the book by phantomfive · 2015-11-03 04:35 · Score: 1
  
  As for fuzzing, Google made its own fuzzers: bunny-the-fuzzer followed by american-fuzzy-lop. The first one was started in 2007, at about the same time Android 1.0 came out. So Google was obviously no stranger to the concept of fuzz-testing.
  I'm sure they know it exists lol.......the question is, why have they sucked it up so much? My theory is that security isn't something that can be 'added' or fixed in a later stage. It's something programmers need to be thinking about right from the beginning (and obviously they failed miserably in this case).
  
  --
  "First they came for the slanderers and i said nothing."
here's another set by phantomfive · 2015-11-02 10:43 · Score: 0

Here's another set of Android vulns that I believe were not mentioned here on Slashdot earlier.....

--
"First they came for the slanderers and i said nothing."
1. Re:here's another set by viperidaenz · 2015-11-02 11:05 · Score: 1
  
  What does Google App Engine have to do with Android?
  The exploits there are from the Oracle HotSpot JVM, which doesn't run on Android phones.
2. Re:here's another set by phantomfive · 2015-11-02 11:09 · Score: 1
  
  Yeah, you're right, I must not have had enough sleep last night.
  
  --
  "First they came for the slanderers and i said nothing."
Update status will drive my next phone purchase by mcrbids · 2015-11-02 10:50 · Score: 4, Insightful

I have a 2.5 year old phone that I otherwise love and while it's EOL, I still use it extensively.
The idea that a phone can be not even 3 years old and not have any hope of getting updates is something I balk STRONGLY at.

--
I have no problem with your religion until you decide it's reason to deprive others of the truth.
1. Re:Update status will drive my next phone purchase by MobileTatsu-NJG · 2015-11-02 10:53 · Score: 2
  
  I'm not sure why so many Android users find this to be acceptable. Imagine requiring Dell's permission to install a new version of Windows. That's how Android works, BY DESIGN.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
2. Re:Update status will drive my next phone purchase by Anonymous Coward · 2015-11-02 10:55 · Score: 0
  
  No one is supporting a phone for more than 2 years, and with Google/Android, even if you get a Nexus, you're really only supported on the newest OS for 1 year until you have to upgrade because they ain't back patching to prior OS versions.
3. Re:Update status will drive my next phone purchase by Anonymous Coward · 2015-11-02 11:23 · Score: 0
  
  OK how many other platform phones out there let you do what you think is the right thing?
  Unfortunatly Android is close as we get :(
4. Re:Update status will drive my next phone purchase by Anonymous Coward · 2015-11-02 18:27 · Score: 0
  
  Imagine requiring Dell's permission to install a new version of Windows.
  Given how things are going lately, you might not have to wait too much longer for that to be a reality. All that's left for them to implement, is a mandatory lockout instead of an "optional" one.
5. Re:Update status will drive my next phone purchase by ThatsNotPudding · 2015-11-03 00:49 · Score: 2
  
  FedGov needs to take a different angle: if carriers refuse to issue critical security updates to phones less than five years old, they need to be levied a healthy fine based on the number they've sold that are -solely through their indifference - destined to generate tons of easily avoidable e-waste. That is a quantifiable, undeniable result of their inactions and they should be brutally punished to send a message.
  
  Or the FCC / FTC could actually do their fucking job to protect consumers from pricks that see vulnerabilities as nothing but an 'opportunity' to sell new phones.
6. Re:Update status will drive my next phone purchase by squiggleslash · 2015-11-03 03:42 · Score: 1
  
  No, it's not how Android works, by design. Regular Nexus phones, that run the most Googly Androids, can be upgraded without problem. The only issue is that at some point Google itself stops producing the binaries for each model.
  
  --
  You are not alone. This is not normal. None of this is normal.
7. Re:Update status will drive my next phone purchase by MobileTatsu-NJG · 2015-11-03 05:36 · Score: 1
  
  Yes, Google can approve their own updates, the rest of the manufacturers and carriers remain as bottlenecks.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
8. Re:Update status will drive my next phone purchase by squiggleslash · 2015-11-03 05:52 · Score: 1
  
  I wasn't referring to Google approving their own updates. I was referring to the Nexus series allowing users to update their own phones. You don't need Google's permission to do so.
  In any case your comment was that Android was the bottleneck, that it was designed to prevent itself from being upgraded. That is what I was responding to. That's false. Android has nothing to do with it.
  Yes, manufacturers can block updates as they do with Windows phone and other mobile operating systems, but that isn't Android's fault.
  
  --
  You are not alone. This is not normal. None of this is normal.
9. Re:Update status will drive my next phone purchase by MobileTatsu-NJG · 2015-11-03 06:31 · Score: 1
  
  I wasn't referring to Google approving their own updates. I was referring to the Nexus series allowing users to update their own phones. You don't need Google's permission to do so.
  Nexus is Google's own phone. That's why you get those updates.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
10. Re:Update status will drive my next phone purchase by Anonymous Coward · 2015-11-03 09:05 · Score: 0
  
  I'm actually sort of surprised that Motorola isn't supporting that. Are they not?
  They have a patch for my 2013 Moto X although it won't install because I'm using the official Motorola firmware. Yes, that is correct, I'm using the official firmware downloaded from Motorola and that is the version that fails to update with the Stagefright patch. Motodumbass?
11. Re:Update status will drive my next phone purchase by macs4all · 2015-11-03 10:34 · Score: 1
  
  I have a 2.5 year old phone that I otherwise love and while it's EOL, I still use it extensively.
  The idea that a phone can be not even 3 years old and not have any hope of getting updates is something I balk STRONGLY at.
  I have a solution for that...
12. Re:Update status will drive my next phone purchase by squiggleslash · 2015-11-04 02:50 · Score: 1
  
  I wasn't referring to Google approving their own updates. I was referring to the Nexus series allowing users to update their own phones. You don't need Google's permission to do so.
  
  --
  You are not alone. This is not normal. None of this is normal.
13. Re:Update status will drive my next phone purchase by MobileTatsu-NJG · 2015-11-04 03:19 · Score: 1
  
  Do you understand that Nexus is Google's own phone? You need to because that's the reason you can find only one exception.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
14. Re:Update status will drive my next phone purchase by squiggleslash · 2015-11-04 05:44 · Score: 1
  
  "Exception"? Do you even understand the words you're writing? You're arguing the Nexus series is an "Exception" to the concept that Android is "designed" to disallow upgrades?
  Are you aware that the Nexus series are mobile phones? Not operating systems or distributions of Android?
  Your claim is that Android, by design, prevents users from upgrading it. You're wrong. The fact Nexus users (and users of many other models of phone bundled with Android) can upgrade their phones without having to get permission from the manufacturer or Google or anyone else proves you're wrong.
  Give it up.
  
  --
  You are not alone. This is not normal. None of this is normal.
15. Re:Update status will drive my next phone purchase by MobileTatsu-NJG · 2015-11-04 06:25 · Score: 1
  
  Heh. Ah, man. That's funny. Okay, here we go:
  
  "Exception"? Do you even understand the words you're writing? You're arguing the Nexus series is an "Exception" to the concept that Android is "designed" to disallow upgrades?
  Yes. That's exactly what I'm saying. The Nexus phones are not proof that Android isn't designed that way, they're proof that it is! Nexus phones are produced for Google. They are Google's phones. They are to Google what iPhone is to Apple. Android is to Google what iOS is to Apple. Google can update their own phones to the latest Android because the OS and the Nexus phones are theirs. They're not some random manufacturer producing their own phones who just happen to be unique in that they get updates sooner than say... anybody using a Samsung phone. They are commissioned and supported by Google to be a design reference for the rest of the industry to look up to.
  
  Your claim is that Android, by design, prevents users from upgrading it. You're wrong.
  
  "My roof is leaking."
  "No it isn't!"
  "Dude, the floor's all wet!"
  "Not in this corner I'm standing in! See! You're wrong!!"
  
  Do you understand that manufacturers like Motorola advertise how long they plan to support Android on their phones? They make promises like: "We'll go up to three upgrades on this phone!" That doesn't happen when you purchase a desktop computer. This. Is. By. Design. This is also why Stagefright is such a huge problem for Android, nobody can update their phones to fix it!
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Oh boy! I can't wait! by Anonymous Coward · 2015-11-02 11:43 · Score: 0

For the carriers to actually send out updates for devices that are older than 3 months.
Apple does this right by SuperKendall · 2015-11-02 11:56 · Score: 2, Insightful

Not sure you are following the analogy, because the original complaint is that you need the carriers permission to install an update from Google.
Meanwhile Apple is supporting devices around four years old with updates, no matter what carrier you have.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Apple does this right by Anonymous Coward · 2015-11-02 12:32 · Score: 1
  
  Meanwhile Apple is supporting devices around four years old with updates, no matter what carrier you have.
  Meanwhile Apple does not even allow you to install apps that aren't from the app store.
2. Re:Apple does this right by Anonymous Coward · 2015-11-02 15:06 · Score: 1
  
  In Europe, or at least here in the Netherlands, most phones are technically not carrier-dependent (except a few simlocked/branded phones, which you can choose not to buy), the carrier only controls the SIM.
  Despite that, the problem remains that Android _OEMs_ don't update older phones.
  Like the Moto E, released last february, which won't get Android 6.0. Which is entirely due to Motorola choosing not to.
  Google then is applauded for supporting Nexuses for 3 years. Yeah, great, but still way too short. Because after those 3 years they are a security risk, even though the hardware is fine and could last many years more.
  My previous phone lasted 8 years, my current still going strong at 5. So, if you don't want to get 0wn3d through KNOWN vulns with patches available, throw away your $100-600 phone every 3 years, only because the OEM doesn't want to support it.
  But yes, the US carriers and US customers choosing to buy locked phones from them are indeed an extra complicating factor.
  At least we have custom ROMs.
3. Re:Apple does this right by brantondaveperson · 2015-11-02 15:16 · Score: 2
  
  Well, they do now actually, but never let the truth get in the way of a good story I always say.
4. Re:Apple does this right by Anonymous Coward · 2015-11-02 16:19 · Score: 0
  
  This is not true.
5. Re:Apple does this right by Anonymous Coward · 2015-11-02 23:29 · Score: 0
  
  Yeah, and never give too much detail of the truth either, because it ruins the aesthetics of fast response in slashdot... which is all too important.
6. Re:Apple does this right by Anonymous Coward · 2015-11-03 03:51 · Score: 0
  
  It's too widely known to waste time trying to catch you up on something you obviously don't want to know about.
7. Re:Apple does this right by macs4all · 2015-11-03 10:42 · Score: 1
  
  Try this.
  
  Boy, was THAT hard. Took longer to prune the URL of it's unnecessary tracking bullshit than to do the search.
Google is NOT patching the most popular Nexus 7 by Anonymous Coward · 2015-11-02 12:10 · Score: 0

As I wrote a couple of months ago, if you check the Factory Images for Nexus Devices you'll see that "nakasi" for Nexus 7 (Wi-Fi) remains at LMY47V, which was released before the libstagefright vulnerabilities were (mostly) patched.
This is an exceptionally popular device. I bought the newly released 32GB version for Christmas 2012. Google doesn't even care about patching its own-branded devices sold internationally less than three years ago.
Very bogus! by fustakrakich · 2015-11-02 13:01 · Score: 1

So now I have to buy a new phone? Why don't they just make the damn things disintegrate (biodegradable) after two years? Bastards!

--
“He’s not deformed, he’s just drunk!”
It doesn't work by Ilgaz · 2015-11-02 18:36 · Score: 4, Insightful

Google should admit there is a problem in Android's model of getting updates and do something about it.
It is not just code.
If they don't care because Android is doing well in terms of market share etc, they should read comments & stories about Nokia Symbian. Developers, users, authors were telling them everything which were wrong and they were laughing at them showing their massive marketshare. Now, their own Google Keyboard didn't autocomplete Symbian, it is that irrelevant.
1. Re: It doesn't work by non0score · 2015-11-03 01:34 · Score: 1
  
  And what makes you think they don't? And if they do admit it internally, what good will it do to announce it externally? You seem to equate silence to ignoring the issue.
Comment removed by account_deleted · 2015-11-02 21:35 · Score: 1

Comment removed based on user account deletion
Built on unfuckable Linux and solid java by Anonymous Coward · 2015-11-02 23:40 · Score: 1

Nothing penetrates Linux android. I read this on /. all the time. Everyone knows java/dalvik is "the 'bestest' safest language" that makes bug free code too! Now, I am going to read the article - wtf? Oops. Guess all of /. is at fault for all your years of linux is secure no other OS is. I blame you fucking liars for feeding me that shit.
Re: Update status will drive my next phone purchas by Anonymous Coward · 2015-11-03 01:28 · Score: 0

The patch to the older OS is the new OS. Not sure how difficult that is to understand.