Google Patches More Stagefright Vulnerabilities In Android (threatpost.com)

← Back to Stories (view on slashdot.org)

Google Patches More Stagefright Vulnerabilities In Android (threatpost.com)

Posted by samzenpus on Monday November 2, 2015 @10:08AM from the raise-shields dept.

msm1267 writes: The Stagefright vulnerabilities are the gifts that keep on giving. Months after the potentially devastating security flaws in the mobile OS were publicly disclosed, Google continues to send out patches addressing vulnerabilities related to the initial reports. Today's monthly Android security bulletin includes a fix for another flaw in the Stagefright media playback engine, one in libutils where the Stagefright 2.0 vulnerabilities were found, and two in Android Mediaserver where all the vulnerable code runs. The over-the-air update was released today to Google's Nexus devices and will be added to the Android Open Source Project (AOSP) repository in the next two days; Google partners including Samsung were provided the patches on Oct. 5, Google said, adding that the vulnerabilities are patched in Build LMY48X or later, or in Android Marshmallow with a patch level of Nov. 1.

42 of 56 comments (clear)

Min score:

Reason:

Sort:

And carriers like Verizoned are where? by Anonymous Coward · 2015-11-02 10:09 · Score: 2, Insightful

And how many months if EVER will Verizon and carriers send out these updates? I'm still waiting for the last 3 patches that they haven't done shit about.
1. Re:And carriers like Verizoned are where? by colin_faber · 2015-11-02 10:18 · Score: 2
  
  I'm in the same boat with AT&T and a year old S5 Active. But I can tell you this, I regularly get samsung security updates to ensure I'm not doing anything naughty to my phone.
2. Re:And carriers like Verizoned are where? by silverkniveshotmail. · 2015-11-02 10:40 · Score: 4, Insightful
  
  It's important that you don't do anything shady like uninstall Facebook.
3. Re:And carriers like Verizoned are where? by alvinrod · 2015-11-02 10:48 · Score: 1
  
  Until there's an actual wide-scale exploit that hits vulnerable users, the carriers aren't going to care. They'd rather sell you a new phone and contract than keep supporting old devices that are off contract.
  
  Even though there seem to be a fair amount of vulnerabilities and Android is the leading platform for most, if not all of the world, there really haven't been any huge exploits or massive attacks similar to what we saw back in the heyday of Windows and any large outbreaks that have occurred seem mostly limited to China.
4. Re:And carriers like Verizoned are where? by macs4all · 2015-11-03 10:18 · Score: 1
  
  Until there's an actual wide-scale exploit that hits vulnerable users, the carriers aren't going to care. They'd rather sell you a new phone and contract than keep supporting old devices that are off contract. Even though there seem to be a fair amount of vulnerabilities and Android is the leading platform for most, if not all of the world, there really haven't been any huge exploits or massive attacks similar to what we saw back in the heyday of Windows and any large outbreaks that have occurred seem mostly limited to China.
  Pray tell, how can you KNOW that your personal data hasn't been siphoned off your Android (besides leaving it "off" in the drawer, or in "Airplane Mode")?
  
  Unlike in the 90s, pretty much ALL exploits want to do is suck down your personal data, not delete it. The former is fairly hard for the average person to discover, until it's far, far too late...
Nexus not the first? by viperidaenz · 2015-11-02 10:34 · Score: 1

Is this the same patch Motorola release the other week for Moto X 2014 devices? It said it was a fix for some Stagefright vulnerabilities
1. Re:Nexus not the first? by meadow · 2015-11-02 15:10 · Score: 2
  
  In all the conversation so far no one bothered to post anything about how to actually verify if the vulnerability exists on a system or whether anyone is offering a vulnerability scanner for this.
  
  The best scanner I've seen so far for previous versions of Stagefright vulnerabilities is this one.
2. Re:Nexus not the first? by meadow · 2015-11-02 16:32 · Score: 1
  
  Wouldn't it be the case that, for people with rooted devices, patching the vulnerability would be as simple as copying a couple library files into /system/lib or somewhere?
  
  Or is it that no one wants to advertise this basic fact because they don't want people to root devices? Obviously if the fix is that simple and straightforward on rooted devices, it screams against the propaganda they want to force everyone to think.
3. Re:Nexus not the first? by macs4all · 2015-11-03 10:21 · Score: 1
  
  Wouldn't it be the case that, for people with rooted devices, patching the vulnerability would be as simple as copying a couple library files into /system/lib or somewhere?
  So what about the other 99.999999999999999999999999999% of Android users that wouldn't know how to Root their phone, or even what that means, if their lives literally depended on it?
4. Re:Nexus not the first? by meadow · 2015-11-03 11:11 · Score: 1
  
  I wasn't trying to say that everyone should root their phone but just that rooting should be more accepted by vendors, governments, or others since there are really good reasons for it. Seems like were always under threat against some kind of draconian lockdown imposed by carriers/vendors/governments against having full control over the devices we own and operate. Just because we are purchasing wireless bandwidth doesn't give them the right to deprive us of our freedom.
Google programmers need to read the book by phantomfive · 2015-11-02 10:40 · Score: 1

Google programmers should read this book.
They can do much better at avoiding bugs than they are now.

--
"First they came for the slanderers and i said nothing."
1. Re:Google programmers need to read the book by bigwheel · 2015-11-02 10:59 · Score: 1
  
  I was about to write a disparaging remark before reading the reviews. The author's page also has lots of relevant info.
2. Re:Google programmers need to read the book by Dutch+Gun · 2015-11-02 12:51 · Score: 3, Interesting
  
  I might have purchased a copy of that book if there was actually an e-book version of it.
  Anyhow, it's important to point out that security bugs aren't exactly like typical bugs. You can't test for security using unit tests... it's something that needs to happen in an audit. You need to be actively searching for ways to break code, and you need to know the techniques with which this is usually done. Most programmers are not trained how to do this. Do you think anyone actually tried to fuzz-test this library? I wonder.
  Allowing a multimedia library to play downloaded, untrusted content as elevated privileges is a pretty obvious problem in hindsight. We've seen flaws in many other internet-facing multimedia rendering or playback libraries before. libstagefright is now going to undergo some intense scrutiny by both hackers and security firms alike - I'd be surprised if this is the last we hear of this.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
3. Re:Google programmers need to read the book by phantomfive · 2015-11-02 13:00 · Score: 1
  
  Anyhow, it's important to point out that security bugs aren't exactly like typical bugs. You can't test for security using unit tests
  Security in general is hard, but we're seeing a lot of basic errors that shouldn't be happening. In some cases, if Google had merely read the warning output from the compiler, they would have found bugs.
  
  Once people start even thinking about security, then we can move onto higher techniques, like proofs and contracts, to remove even more bugs.
  
  Do you think anyone actually tried to fuzz-test this library? I wonder.
  I seriously doubt it originally, but it looks like Google has some people trying that sort of thing now.
  
  --
  "First they came for the slanderers and i said nothing."
4. Re:Google programmers need to read the book by GuB-42 · 2015-11-02 23:12 · Score: 1
  
  Compiler warnings wouldn't have helped in the case of stagefright bugs (looking at a few patches). Even cppcheck was silent.
  As for fuzzing, Google made its own fuzzers: bunny-the-fuzzer followed by american-fuzzy-lop. The first one was started in 2007, at about the same time Android 1.0 came out. So Google was obviously no stranger to the concept of fuzz-testing.
  Why did the bugs slipped by? One can only guess. Maybe the stagefright team was a bit rushed and didn't do all formal testing required, maybe the bugs really were hard to find, maybe they focused on optimization rather than safety (media libraries typically require efficient code), maybe their test environment was badly configured, ... so many possibilities.
5. Re:Google programmers need to read the book by fuzzyfuzzyfungus · 2015-11-02 23:54 · Score: 2
  
  Given that the (deliberately configured, 'as designed') behavior for stagefright was to silently restart every 5 seconds if it crashed, I can only assume that there was some internal pessimism about the robustness of the library.
  
  I don't doubt that dealing with all the various ghastly corner cases in codecs and container formats was deeply unpleasant; but it is worrisome that priority was apparently given to avoiding the appearance of failure, rather than really clamping down on what such a dangerously unpredictable part of the system was allowed to do; and when it could silently retry, rather than rejecting input.
6. Re:Google programmers need to read the book by squiggleslash · 2015-11-03 03:39 · Score: 1
  
  I might have purchased a copy of that book if there was actually an e-book version of it.
  
  Well, you see there's your first problem. Pages 7-14 describe the clear dangers of using ebooks, where hackers can make use of common buffer overflow exploits in PDF (and other e-reader formats) renderer implementations to take over your device and use it to inject vulnerabilities into your code.
  But wait, before you buy from Amazon, make sure you're aware of the advice in pages 111-191. Entering your credit card number online can result in it being intercepted by keyloggers, fake web browsers, fake proxies (your side), fake Wi-fi hubs, hacked routers, hacked servers at Amazon (web, database, etc), and even rogue employees.
  And before you get your coat to go down the street to the local Barnes and Noble to order the book, are you sure that's safe? Pages 567 and 590 cover how your credit card and other details can be taken over using a simple RFID hack that many credit cards are vulnerable to. Before getting your wallet, consider, do you have cash?
  And be careful to carry enough change. If you overpay the cashier for the book, you may be vulnerable to the hack detailed in pages 892 and 893, whereby the cashier gives you forged money as change, that's almost impossible to tell is forged until you try to spend it.
  But that's not all, page 985 and 986 detail another vulnerability in the "Going to the store to buy the book and paying in exact change" method of online purchasing. As you leave the store, a gentleman wanders up to you asking you for a "light" (a way to ignite a cigarette, a drug popular in the 20th Century whose popularity has diminished because of health fears), but his accomplice sneaks up behind you while you're distracted, whacks you over the head, and when you come to, you'll find they've stolen the book.
  In other words, be careful.
  BTW, while you were reading this I employed the technique on pages 319-331, and now have your credit card and social security number. Ha ha, sucker!
  
  --
  You are not alone. This is not normal. None of this is normal.
7. Re:Google programmers need to read the book by phantomfive · 2015-11-03 04:35 · Score: 1
  
  As for fuzzing, Google made its own fuzzers: bunny-the-fuzzer followed by american-fuzzy-lop. The first one was started in 2007, at about the same time Android 1.0 came out. So Google was obviously no stranger to the concept of fuzz-testing.
  I'm sure they know it exists lol.......the question is, why have they sucked it up so much? My theory is that security isn't something that can be 'added' or fixed in a later stage. It's something programmers need to be thinking about right from the beginning (and obviously they failed miserably in this case).
  
  --
  "First they came for the slanderers and i said nothing."
Update status will drive my next phone purchase by mcrbids · 2015-11-02 10:50 · Score: 4, Insightful

I have a 2.5 year old phone that I otherwise love and while it's EOL, I still use it extensively.
The idea that a phone can be not even 3 years old and not have any hope of getting updates is something I balk STRONGLY at.

--
I have no problem with your religion until you decide it's reason to deprive others of the truth.
1. Re:Update status will drive my next phone purchase by MobileTatsu-NJG · 2015-11-02 10:53 · Score: 2
  
  I'm not sure why so many Android users find this to be acceptable. Imagine requiring Dell's permission to install a new version of Windows. That's how Android works, BY DESIGN.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
2. Re:Update status will drive my next phone purchase by ThatsNotPudding · 2015-11-03 00:49 · Score: 2
  
  FedGov needs to take a different angle: if carriers refuse to issue critical security updates to phones less than five years old, they need to be levied a healthy fine based on the number they've sold that are -solely through their indifference - destined to generate tons of easily avoidable e-waste. That is a quantifiable, undeniable result of their inactions and they should be brutally punished to send a message.
  
  Or the FCC / FTC could actually do their fucking job to protect consumers from pricks that see vulnerabilities as nothing but an 'opportunity' to sell new phones.
3. Re:Update status will drive my next phone purchase by squiggleslash · 2015-11-03 03:42 · Score: 1
  
  No, it's not how Android works, by design. Regular Nexus phones, that run the most Googly Androids, can be upgraded without problem. The only issue is that at some point Google itself stops producing the binaries for each model.
  
  --
  You are not alone. This is not normal. None of this is normal.
4. Re:Update status will drive my next phone purchase by MobileTatsu-NJG · 2015-11-03 05:36 · Score: 1
  
  Yes, Google can approve their own updates, the rest of the manufacturers and carriers remain as bottlenecks.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
5. Re:Update status will drive my next phone purchase by squiggleslash · 2015-11-03 05:52 · Score: 1
  
  I wasn't referring to Google approving their own updates. I was referring to the Nexus series allowing users to update their own phones. You don't need Google's permission to do so.
  In any case your comment was that Android was the bottleneck, that it was designed to prevent itself from being upgraded. That is what I was responding to. That's false. Android has nothing to do with it.
  Yes, manufacturers can block updates as they do with Windows phone and other mobile operating systems, but that isn't Android's fault.
  
  --
  You are not alone. This is not normal. None of this is normal.
6. Re:Update status will drive my next phone purchase by MobileTatsu-NJG · 2015-11-03 06:31 · Score: 1
  
  I wasn't referring to Google approving their own updates. I was referring to the Nexus series allowing users to update their own phones. You don't need Google's permission to do so.
  Nexus is Google's own phone. That's why you get those updates.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
7. Re:Update status will drive my next phone purchase by macs4all · 2015-11-03 10:34 · Score: 1
  
  I have a 2.5 year old phone that I otherwise love and while it's EOL, I still use it extensively.
  The idea that a phone can be not even 3 years old and not have any hope of getting updates is something I balk STRONGLY at.
  I have a solution for that...
8. Re:Update status will drive my next phone purchase by squiggleslash · 2015-11-04 02:50 · Score: 1
  
  I wasn't referring to Google approving their own updates. I was referring to the Nexus series allowing users to update their own phones. You don't need Google's permission to do so.
  
  --
  You are not alone. This is not normal. None of this is normal.
9. Re:Update status will drive my next phone purchase by MobileTatsu-NJG · 2015-11-04 03:19 · Score: 1
  
  Do you understand that Nexus is Google's own phone? You need to because that's the reason you can find only one exception.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
10. Re:Update status will drive my next phone purchase by squiggleslash · 2015-11-04 05:44 · Score: 1
  
  "Exception"? Do you even understand the words you're writing? You're arguing the Nexus series is an "Exception" to the concept that Android is "designed" to disallow upgrades?
  Are you aware that the Nexus series are mobile phones? Not operating systems or distributions of Android?
  Your claim is that Android, by design, prevents users from upgrading it. You're wrong. The fact Nexus users (and users of many other models of phone bundled with Android) can upgrade their phones without having to get permission from the manufacturer or Google or anyone else proves you're wrong.
  Give it up.
  
  --
  You are not alone. This is not normal. None of this is normal.
11. Re:Update status will drive my next phone purchase by MobileTatsu-NJG · 2015-11-04 06:25 · Score: 1
  
  Heh. Ah, man. That's funny. Okay, here we go:
  
  "Exception"? Do you even understand the words you're writing? You're arguing the Nexus series is an "Exception" to the concept that Android is "designed" to disallow upgrades?
  Yes. That's exactly what I'm saying. The Nexus phones are not proof that Android isn't designed that way, they're proof that it is! Nexus phones are produced for Google. They are Google's phones. They are to Google what iPhone is to Apple. Android is to Google what iOS is to Apple. Google can update their own phones to the latest Android because the OS and the Nexus phones are theirs. They're not some random manufacturer producing their own phones who just happen to be unique in that they get updates sooner than say... anybody using a Samsung phone. They are commissioned and supported by Google to be a design reference for the rest of the industry to look up to.
  
  Your claim is that Android, by design, prevents users from upgrading it. You're wrong.
  
  "My roof is leaking."
  "No it isn't!"
  "Dude, the floor's all wet!"
  "Not in this corner I'm standing in! See! You're wrong!!"
  
  Do you understand that manufacturers like Motorola advertise how long they plan to support Android on their phones? They make promises like: "We'll go up to three upgrades on this phone!" That doesn't happen when you purchase a desktop computer. This. Is. By. Design. This is also why Stagefright is such a huge problem for Android, nobody can update their phones to fix it!
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Re:here's another set by viperidaenz · 2015-11-02 11:05 · Score: 1

What does Google App Engine have to do with Android?
The exploits there are from the Oracle HotSpot JVM, which doesn't run on Android phones.
Re:here's another set by phantomfive · 2015-11-02 11:09 · Score: 1

Yeah, you're right, I must not have had enough sleep last night.

--
"First they came for the slanderers and i said nothing."
Apple does this right by SuperKendall · 2015-11-02 11:56 · Score: 2, Insightful

Not sure you are following the analogy, because the original complaint is that you need the carriers permission to install an update from Google.
Meanwhile Apple is supporting devices around four years old with updates, no matter what carrier you have.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Apple does this right by Anonymous Coward · 2015-11-02 12:32 · Score: 1
  
  Meanwhile Apple is supporting devices around four years old with updates, no matter what carrier you have.
  Meanwhile Apple does not even allow you to install apps that aren't from the app store.
2. Re:Apple does this right by Anonymous Coward · 2015-11-02 15:06 · Score: 1
  
  In Europe, or at least here in the Netherlands, most phones are technically not carrier-dependent (except a few simlocked/branded phones, which you can choose not to buy), the carrier only controls the SIM.
  Despite that, the problem remains that Android _OEMs_ don't update older phones.
  Like the Moto E, released last february, which won't get Android 6.0. Which is entirely due to Motorola choosing not to.
  Google then is applauded for supporting Nexuses for 3 years. Yeah, great, but still way too short. Because after those 3 years they are a security risk, even though the hardware is fine and could last many years more.
  My previous phone lasted 8 years, my current still going strong at 5. So, if you don't want to get 0wn3d through KNOWN vulns with patches available, throw away your $100-600 phone every 3 years, only because the OEM doesn't want to support it.
  But yes, the US carriers and US customers choosing to buy locked phones from them are indeed an extra complicating factor.
  At least we have custom ROMs.
3. Re:Apple does this right by brantondaveperson · 2015-11-02 15:16 · Score: 2
  
  Well, they do now actually, but never let the truth get in the way of a good story I always say.
4. Re:Apple does this right by macs4all · 2015-11-03 10:42 · Score: 1
  
  Try this.
  
  Boy, was THAT hard. Took longer to prune the URL of it's unnecessary tracking bullshit than to do the search.
Very bogus! by fustakrakich · 2015-11-02 13:01 · Score: 1

So now I have to buy a new phone? Why don't they just make the damn things disintegrate (biodegradable) after two years? Bastards!

--
“He’s not deformed, he’s just drunk!”
It doesn't work by Ilgaz · 2015-11-02 18:36 · Score: 4, Insightful

Google should admit there is a problem in Android's model of getting updates and do something about it.
It is not just code.
If they don't care because Android is doing well in terms of market share etc, they should read comments & stories about Nokia Symbian. Developers, users, authors were telling them everything which were wrong and they were laughing at them showing their massive marketshare. Now, their own Google Keyboard didn't autocomplete Symbian, it is that irrelevant.
1. Re: It doesn't work by non0score · 2015-11-03 01:34 · Score: 1
  
  And what makes you think they don't? And if they do admit it internally, what good will it do to announce it externally? You seem to equate silence to ignoring the issue.
Comment removed by account_deleted · 2015-11-02 21:35 · Score: 1

Comment removed based on user account deletion
Built on unfuckable Linux and solid java by Anonymous Coward · 2015-11-02 23:40 · Score: 1

Nothing penetrates Linux android. I read this on /. all the time. Everyone knows java/dalvik is "the 'bestest' safest language" that makes bug free code too! Now, I am going to read the article - wtf? Oops. Guess all of /. is at fault for all your years of linux is secure no other OS is. I blame you fucking liars for feeding me that shit.