Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Stagefright Bug Required 115 Patches, Millions Still At Risk (eweek.com)

Posted by EditorDavid on from the 12-months-later dept.

eWeek reports that "hundreds of millions of users remain at risk" one year after Joshua Drake discovered the Stagefright Android flaw. Slashdot reader darthcamaro writes: A year ago, on July 27, 2015 news about the Android Stagefright flaw was first revealed with the initial reports claiming widespread impact with a billion users at risk. As it turns out, the impact of Stagefright has been more pervasive...over the last 12 months, Google has patched no less than 115 flaws in Stagefright and related Android media libraries. Joshua Drake, the researcher who first discovered the Stagefright flaw never expected it to go this far. "I expected shoring up the larger problem to take an extended and large effort, but I didn't expect it to be ongoing a year later."
Drake believes targeted attacks use Stagefright vulnerabilities on unpatched systems, but adds that Android's bug bounty program appears to be working, paying out $550,000 in its first year.

50 comments

  1. And yet... by Anonymous Coward · · Score: 3, Informative

    ...My Galaxy S4 has received NONE of these updates.

    Thanks, Sprint!

    1. Re:And yet... by ArmoredDragon · · Score: 1, Interesting

      As much as I really hate Sprint and think they're easily the worst carrier by a cubic lightyear, that's more likely to be a Samsung problem. Samsung is downright shameful when it comes to updates, and furthermore they're the single biggest reason why iPhone lovers and other pundits think Android is buggy and laggy. I owned a Galaxy Note 4, and after that I'll never buy another Samsung phone again.

    2. Re:And yet... by Anonymous Coward · · Score: 0

      Glad I removed the standard SMS/MMS client long ago.

    3. Re:And yet... by Anonymous Coward · · Score: 0

      Samsung has been much better about the monthly updates and bloatware. I think that Moto and HTC will be having to prove how good they can be with updates, and Moto has already said they will not do Monthly Security Updates.

    4. Re:And yet... by konohitowa · · Score: 1

      My unsupported Tab 10.1 is what put me in the same camp as you in regard to Samsung. The one and only update Samsung provided for it resulted in a bug that would cause any app to crash if you tried to copy anything you highlighted. Fixing that required rooting it so I could delete a corrupt database file - which I knew how to do because so many other people had the same problem. I might as well have just burned the money for all the use I got out of it (that wasn't the only flaw in the thing, just the worst).

    5. Re:And yet... by Anonymous Coward · · Score: 0

      Don't feel bad, I have a S5 and its just as vulnerable. Thanks, Bell Canada!

    6. Re:And yet... by jonwil · · Score: 1

      Even worse is when OEMs lock their phones so you cant install custom firmware from third parties that actually incorporates security fixes like this.

    7. Re:And yet... by Anonymous Coward · · Score: 0

      Seriously, what is the distribution rate of these 115 Stagefright patches, among the entire Android ecosystem? I'll bet it's less than 20%. Which is near enough to "essentially the entire Android world is still vulnerable to Stagefright."

      Thanks Google!

      Seriously, is this acceptable? How? Why? What will it take for Google to actually step up and take some responsibility for this monster it has created? Will it take hacker messages on the home screen every Android phone in existence? Will it take the President/Prime Minister of every nation on Earth to have their phone p0wned? Is Google so committed to a broken code distribution model that they cannot even acknowledge there is a problem?

      Oh sure, Google has said they will "consider shaming" the carrier community. Even that inadequate response has come to exactly nothing. Google has become lethargic and slow. "Don't look at us!" is all they've got.

    8. Re:And yet... by Anonymous Coward · · Score: 0

      This. It varies by region. My unbranded Australian S5 doesn't receive any updates. Yet Samsung blame the carriers even on unbranded phones!

    9. Re:And yet... by Anonymous Coward · · Score: 0

      I will not buy a phone from Samsung or Moto because both firms have locked bootloaders, and even root is dicey. Combine this with updates being dicey at best, and you will realize the devices are deliberately made to be worthless and even dangerous to the user (due to security holes) once the carrier or company decides to stop making updates. Hell with them both.

      HTC may not update frequently, and this is a factor, but for people who are familiar with Android, you can buy a new HTC device, go to htcdev to unlock the bootloader, push a recovery ROM and SuperSU, run Sunshine (yes, it is $25, but only has to be done once) to S-Off the device, then flash whatever the hell you want. I personally like CyanogenMod + OpenGApps, but there are many other decent ROMs, including factory ROMs that have had their bloatware excised.

      Of course, there is the Nexus line of phones. If I recommend a phone to anyone for Android, the Nexus line is the best. They are not "flagship smartphones", but you will be able to find -some- way of updating the phone, 3+ years from now.

      As for iPhones, people talk about Apple has never has had a security hole in the wild that has affected anything but jailbroken devices. I've yet to read/hear something different, but I don't like iOS and how restrictive it is unless you jailbreak the device, and jailbreaking utterly destroys its security, as opposed to rooting doing nothing negative (barring a user who grants any app root [1]) .

      [1]: Even apps asking for root have to declare a root permission in the Android manifest, otherwise most su apps won't let it pop up a dialog.

    10. Re: And yet... by Billly+Gates · · Score: 1

      Buy a Nexus!

      Pure Google and monthly updates and no lag whiz or carrier crap. I love my 6p

      --
      http://saveie6.com/
    11. Re: And yet... by Anonymous Coward · · Score: 0

      Stagefright where patched via the Play Store so your phone should already have it regardless of manufacturer or operator.

    12. Re:And yet... by jrumney · · Score: 1

      Are you sure that the vulnerability is not still there? The bulk of the problems were in the media parsing libraries. MMS was just the publicized vector by which the vulnerabilities could be exploited remotely. It doesn't mean there weren't other vectors, especially when you start factoring in third party applications which most likely use the same libraries.

    13. Re:And yet... by jrumney · · Score: 2, Informative
      The 115 is an alarmist figure. I've looked through some of the patches, and it seems what happened was:
      1. Quick patch to MMS to mitigate the attack vector that was publicized
      2. Quick patch to Stagefright library to avoid the vulnerability
      3. Many patches to Stagefright to redesign the handling of media files completely
      4. More quick patches to various components as more vectors to the original stagefright exploit were found

      So only a handful of the patches are needed to avoid the exploits. The rest are general cleanup and redesign in response to the problems triggering a rethink about how to handle media from unknown sources.

    14. Re:And yet... by Anonymous Coward · · Score: 0

      I'm not sure how I could be affected as my phone won't receive MMS messages and I don't use my phone for video at all. I suppose I could go in and yank out the Stagefright library as well.

    15. Re:And yet... by ArmoredDragon · · Score: 0

      As for iPhones, people talk about Apple has never has had a security hole in the wild that has affected anything but jailbroken devices.

      Apple has had plenty of security breaches in iOS, including one really big one that they still aren't even sure if they've cleaned up yet.

      https://nakedsecurity.sophos.c...

    16. Re: And yet... by Anonymous Coward · · Score: 0

      Indeed, and the vast majority of devices have the initial critical patches.

      It's also not Google's fault. It's unlikely to be the phone manufacturers fault either (they update network agnostic handsets), its mobile networks at fault. It's clickbait media at fault

    17. Re:And yet... by Anonymous Coward · · Score: 0

      I'm not sure how I could be affected as my phone won't receive MMS messages and I don't use my phone for video at all. I suppose I could go in and yank out the Stagefright library as well.

      Because the bug has nothing to do with MMS or (just) video. Did you even read what you answered to? And yes, if you have full access to the system, you could "yank out" the Stagefright library - but that would simply be a very coarse way of patching,

    18. Re:And yet... by Anonymous Coward · · Score: 0

      The 115 is an alarmist figure. I've looked through some of the patches, and it seems what happened was:

      1. Quick patch to MMS to mitigate the attack vector that was publicized
      2. Quick patch to Stagefright library to avoid the vulnerability
      3. Many patches to Stagefright to redesign the handling of media files completely
      4. More quick patches to various components as more vectors to the original stagefright exploit were found

      So only a handful of the patches are needed to avoid the exploits.

      And by "the exploits" you mean the one initial exploit, for which the initial quick patches (many people never received) fixed the symptoms.

    19. Re:And yet... by Anonymous Coward · · Score: 0

      Well, LG said they would do monthly updates, yet that was a flat out lie, my G4 hasn't received any updates since January.
      So Moto is at least honest...

    20. Re:And yet... by jrumney · · Score: 1

      There were at least two distinct exploits, and the second one was still exploitable after the first quick patches (hence the last "more quick patches" in my list)

  2. So far...... by phantomfive · · Score: 1

    Android Stagefright Bug Required 115 Patches....

    .....so far. Where there 115 patches, there is one more un-patched bug.

    --
    "First they came for the slanderers and i said nothing."
  3. This is why it pays to be gay by Anonymous Coward · · Score: 0

    and love the fruity company's products. Safe. Secure. And AIDS is treatable now. Stagefright is a death warrent.

    1. Re: This is why it pays to be gay by Anonymous Coward · · Score: 0

      Now if you'll excuse me, I'm going to get my salad tossed by three big men, then have them anal sex me till I pass out.

    2. Re: This is why it pays to be gay by Anonymous Coward · · Score: 0

      Donald?

  4. No surprise here by thundercattt · · Score: 1

    Lazy phone makers don't bother upgrading the OS on non flag ship models. Ya if you have a Nexus or a Samsung Galaxy you'll get the update. My Samsung Rugby (rugged) still using 4.4.2. Even when this bug dropped, everyone promised patches. Samsung said hey we released new phones. There's nobody forcing it to be patched on these unpatched phones.

    1. Re:No surprise here by No+Longer+an+AC · · Score: 1

      Lazy phone makers don't bother upgrading the OS on non flag ship models

      But the flagship you buy today will not stay the flagship for long.

    2. Re: No surprise here by thundercattt · · Score: 1

      I can't comment on what I don'tuse but thus far my Nexus 5 receives every update. +1 to Google.

  5. The Answer by Anonymous Coward · · Score: 0

    Switch to iOS. Problem solved.

    1. Re:The Answer by bloodhawk · · Score: 0, Troll

      Yep then your phone will naturally become slow and unusuable forcing you to upgrade (not patch), rather than remain out of date and at risk. Not sure which is worse.

    2. Re:The Answer by Anonymous Coward · · Score: 0

      I own the 24 carat gold iPhone 6 Plus with embedded diamonds and I was highly disappointed to find out that there probably won't be a 24 carat gold iPhone 7 with embedded diamonds. This unfortunately means I cannot stick with iOS and now must find an alternative.

      If you happen to know of any other phone that might be satisfactory, please let me know but only if it's $10,000 USD or less.

    3. Re:The Answer by Anonymous Coward · · Score: 0

      Yep then your phone will naturally become slow and unusuable forcing you to upgrade (not patch)

      Unlike Android, which is slow and unpatched when you buy it.

  6. Strangely, cheaper = more secure in this case by Ecuador · · Score: 2, Informative

    It is very strange that while Samsung phones that me and my wife used to have had were not updated much (especially the non-flagship devices), from the moment I tried the cheap Chinese Xiaomi I've been enjoying continuous updates to all devices, from flagship to budget (and this, along with other reasons, is why I am sticking with Xiaomi for the time being). E.g. your phone will be running Android 6.0.1 whether you have the latest flagship (Mi 5), or the previous flagship (Mi 4) or the flagship before that (Mi 3 from 2013) or their cheapest device from 2 years ago (Redmi 1S) etc. And all these cost 1/2 to 1/3 the price of the equivalent Samsung/LG etc.
    So, in this case buying "cheap Chinese" means you are the most protected from such issues. Yes, I know Xiaomi does not sell to most countries, I had to order it from a Chinese e-tailer who had an EU warehouse. And if you order from a Chinese e-tailer, whatever brand the phone it is almost guaranteed to be full of adware and spyware so your first move would be a clean install. Which is surprisingly easy on a Xiaomi, in fact you don't even have to use a PC - you can just go to the Xiaomi website to download the latest version, rename the file per the instructions, reboot in recovery mode and clean-install it! They even have dual boot - keeping a clean OS in case you screw up your regular installation.
    Sorry for the "ad", but I can't believe I have paid up to $600 in the past (or more if we include phones my company has provided me like the iPhone 6 Plus), when a $200-$250 phone has proved better IMHO in both hardware and software...

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
    1. Re:Strangely, cheaper = more secure in this case by Anonymous Coward · · Score: 0

      Tell me more about how I can get free chinese Spyware on my phone!

      It's easy enough to force updates to any android phone from legitimate source downloads. Who in their right mind would trust a Chinese company for update?

    2. Re:Strangely, cheaper = more secure in this case by Anonymous Coward · · Score: 0

      Relax moron. The Chinese aren't interested in getting hold of your Grindr profile and the photos of your dick that you keep on our phone.

    3. Re:Strangely, cheaper = more secure in this case by Anonymous Coward · · Score: 0

      ... you know that almost all computers are manufactured in China, right? So while I don't disagree, either you have Chinese and USA spyware or you have just Chinese spyware. In that case, I'll take Chinese spyware - given that the USA is meddling far more in my countries' affairs than China.

    4. Re:Strangely, cheaper = more secure in this case by Anonymous Coward · · Score: 0

      Tell me more about how I can get free chinese Spyware on my phone!

      Yeah, you're only OK if companies like Microsoft, Google or Apple spy on you. Or perhaps you prefer the NSA. In any case, let's keep it in 'Murica!

    5. Re:Strangely, cheaper = more secure in this case by Szeraax · · Score: 3, Interesting

      Based upon this post alone I am scared of those phones: http://forum.xda-developers.co...

      But I really don't have enough knowledge to know.

    6. Re:Strangely, cheaper = more secure in this case by Anonymous Coward · · Score: 0

      If you are uncomfortable with Chinese phones I recommend Sony. I have a Sony Xperia Z3, released in 2014 and since superseded by the Xperia Z4 and Z5. Still, Sony provided the Android 6.0.1 update to this phone recently.

    7. Re:Strangely, cheaper = more secure in this case by Ecuador · · Score: 1

      Well, that post is before Xiaomi turned the default of the "data sharing to improve experience" to off (you could set it to off yourself before) and also use of free services like the Mi cloud do share your details with Xiaomi as you should expect. But, for example, Microsoft sends more data, even if you say "no" to everything according to reports. And Xiaomi releases the kernel source of their OS, which is something Microsoft and Apple don't do. So I sort of take it for granted that whatever phone I have someone will be tracking at least my IMEI, location etc. Since I am not a diplomat or something "sensitive" like that, I don't really care if the one tracking me is a US or Chinese company, corporations are equally not looking for my interests wherever they are based. In fact, historically, US companies have been shown to be very prone to sharing their data with the US government, so there is no way you can claim the Chinese ones are more dangerous because they have "stronger ties" with their government.

      --
      Violence is the last refuge of the incompetent. Polar Scope Align for iOS
  7. This story is because of WHAT by Anonymous Coward · · Score: 0

    FUD.

    If somehow your already spied on by Google phone gets jacked just install a custom ROM.

    This is something you can DO on Android but not iPhones or any other homosexual devices.

    Meanwhile nobody reported how this bug affected their lives at all. News at your mom's tits.

    1. Re:This story is because of WHAT by Anonymous Coward · · Score: 0

      Show me how to install a custom ROM on a S7 with the latest gen of locked bootloaders, please. At least iOS has had no significant breaches to date, and any that are found get patches quite quickly.

    2. Re:This story is because of WHAT by Anonymous Coward · · Score: 0

      Show me how to install a custom ROM on a S7 with the latest gen of locked bootloaders, please. At least iOS has had no significant breaches to date, and any that are found get patches quite quickly.

      Oh well yes of course faggot.

      Sure you would want to hide your secret boyfriends from peeping toms. That is why you buy the faggot ass iphone to hide one boyfriend from all the other faggots.

      In reality though when you are not a faggot... Fuck your S7 then. Why do you need your phone to do warp speed when you are just going to call a bunch of craigslist faggots to hookup and bust nuts on chests.

      Stupid mother fucker. You can put Custom ROM's on Android. This was not some "how can I say it isn't so" contest. You stupid mother fucker. Put a custom ROM on your iphone and shove it up your asshole. xray it for specs like you have to always do on apple shit and see if you got 128 GB of cock in your reaking rancid stanky crusty shithole of a faggot birth canal.

    3. Re:This story is because of WHAT by Anonymous Coward · · Score: 0

      An Android user, ladies and gentlemen.

      So first they tell you how much better the latest Android handsets are compared to the iPhone. Then, they tell you not to buy them because you can't root them to install custom ROMs. You don't need all that performance anyway!

      The Android ecosystem is an absolute, unmitigated disaster.

  8. Reinventing the wheel... by Anonymous Coward · · Score: 0

    That's what you get for insisting on reinventing the wheel for handling multimedia instead of reusing code that has had years of security testing behind it already.
    Having programmers with obviously no competence in writing secure C code doing it surely didn't help though.

  9. Silence by ChoGGi · · Score: 1

    install and change it to be the default SMS/MMS app, open settings and disable auto-retrieving media messages
    https://f-droid.org/repository...

  10. Rooting and upgrade bugs... by Anonymous Coward · · Score: 0

    I would be far more likely to patch Android on my machines if the updates were not likely to result in the loss of root on my device.

    I am very interested in keeping my devices secure, but I am even more interested in actually owning the devices I paid for and physically possess.

    And this doesn't cover all the times that updating to a newer Android screws the device itself up pretty badly - it seems almost chronic with some companies that a new patch will end up with significantly worse battery life and/or a tremendous slowdown due to some bug that will take months to fix, assuming it is ever actually fixed.

    1. Re:Rooting and upgrade bugs... by Anonymous Coward · · Score: 0

      Update to a non-official firmware. Then you don't have to worry about losing root.

  11. AmiMojo is oddly silent by Anonymous Coward · · Score: 0

    Considering she keeps claiming it had been fixed a year ago for everybody via the Play Store App. Too bad it won't keep her silent in other discussions about the same subject.