Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Stagefright Bug Required 115 Patches, Millions Still At Risk (eweek.com)

Posted by EditorDavid on from the 12-months-later dept.

eWeek reports that "hundreds of millions of users remain at risk" one year after Joshua Drake discovered the Stagefright Android flaw. Slashdot reader darthcamaro writes: A year ago, on July 27, 2015 news about the Android Stagefright flaw was first revealed with the initial reports claiming widespread impact with a billion users at risk. As it turns out, the impact of Stagefright has been more pervasive...over the last 12 months, Google has patched no less than 115 flaws in Stagefright and related Android media libraries. Joshua Drake, the researcher who first discovered the Stagefright flaw never expected it to go this far. "I expected shoring up the larger problem to take an extended and large effort, but I didn't expect it to be ongoing a year later."
Drake believes targeted attacks use Stagefright vulnerabilities on unpatched systems, but adds that Android's bug bounty program appears to be working, paying out $550,000 in its first year.

16 of 50 comments (clear)

  1. And yet... by Anonymous Coward · · Score: 3, Informative

    ...My Galaxy S4 has received NONE of these updates.

    Thanks, Sprint!

    1. Re:And yet... by ArmoredDragon · · Score: 1, Interesting

      As much as I really hate Sprint and think they're easily the worst carrier by a cubic lightyear, that's more likely to be a Samsung problem. Samsung is downright shameful when it comes to updates, and furthermore they're the single biggest reason why iPhone lovers and other pundits think Android is buggy and laggy. I owned a Galaxy Note 4, and after that I'll never buy another Samsung phone again.

    2. Re:And yet... by konohitowa · · Score: 1

      My unsupported Tab 10.1 is what put me in the same camp as you in regard to Samsung. The one and only update Samsung provided for it resulted in a bug that would cause any app to crash if you tried to copy anything you highlighted. Fixing that required rooting it so I could delete a corrupt database file - which I knew how to do because so many other people had the same problem. I might as well have just burned the money for all the use I got out of it (that wasn't the only flaw in the thing, just the worst).

    3. Re:And yet... by jonwil · · Score: 1

      Even worse is when OEMs lock their phones so you cant install custom firmware from third parties that actually incorporates security fixes like this.

    4. Re: And yet... by Billly+Gates · · Score: 1

      Buy a Nexus!

      Pure Google and monthly updates and no lag whiz or carrier crap. I love my 6p

      --
      http://saveie6.com/
    5. Re:And yet... by jrumney · · Score: 1

      Are you sure that the vulnerability is not still there? The bulk of the problems were in the media parsing libraries. MMS was just the publicized vector by which the vulnerabilities could be exploited remotely. It doesn't mean there weren't other vectors, especially when you start factoring in third party applications which most likely use the same libraries.

    6. Re:And yet... by jrumney · · Score: 2, Informative
      The 115 is an alarmist figure. I've looked through some of the patches, and it seems what happened was:
      1. Quick patch to MMS to mitigate the attack vector that was publicized
      2. Quick patch to Stagefright library to avoid the vulnerability
      3. Many patches to Stagefright to redesign the handling of media files completely
      4. More quick patches to various components as more vectors to the original stagefright exploit were found

      So only a handful of the patches are needed to avoid the exploits. The rest are general cleanup and redesign in response to the problems triggering a rethink about how to handle media from unknown sources.

    7. Re:And yet... by jrumney · · Score: 1

      There were at least two distinct exploits, and the second one was still exploitable after the first quick patches (hence the last "more quick patches" in my list)

  2. So far...... by phantomfive · · Score: 1

    Android Stagefright Bug Required 115 Patches....

    .....so far. Where there 115 patches, there is one more un-patched bug.

    --
    "First they came for the slanderers and i said nothing."
  3. No surprise here by thundercattt · · Score: 1

    Lazy phone makers don't bother upgrading the OS on non flag ship models. Ya if you have a Nexus or a Samsung Galaxy you'll get the update. My Samsung Rugby (rugged) still using 4.4.2. Even when this bug dropped, everyone promised patches. Samsung said hey we released new phones. There's nobody forcing it to be patched on these unpatched phones.

    1. Re:No surprise here by No+Longer+an+AC · · Score: 1

      Lazy phone makers don't bother upgrading the OS on non flag ship models

      But the flagship you buy today will not stay the flagship for long.

    2. Re: No surprise here by thundercattt · · Score: 1

      I can't comment on what I don'tuse but thus far my Nexus 5 receives every update. +1 to Google.

  4. Strangely, cheaper = more secure in this case by Ecuador · · Score: 2, Informative

    It is very strange that while Samsung phones that me and my wife used to have had were not updated much (especially the non-flagship devices), from the moment I tried the cheap Chinese Xiaomi I've been enjoying continuous updates to all devices, from flagship to budget (and this, along with other reasons, is why I am sticking with Xiaomi for the time being). E.g. your phone will be running Android 6.0.1 whether you have the latest flagship (Mi 5), or the previous flagship (Mi 4) or the flagship before that (Mi 3 from 2013) or their cheapest device from 2 years ago (Redmi 1S) etc. And all these cost 1/2 to 1/3 the price of the equivalent Samsung/LG etc.
    So, in this case buying "cheap Chinese" means you are the most protected from such issues. Yes, I know Xiaomi does not sell to most countries, I had to order it from a Chinese e-tailer who had an EU warehouse. And if you order from a Chinese e-tailer, whatever brand the phone it is almost guaranteed to be full of adware and spyware so your first move would be a clean install. Which is surprisingly easy on a Xiaomi, in fact you don't even have to use a PC - you can just go to the Xiaomi website to download the latest version, rename the file per the instructions, reboot in recovery mode and clean-install it! They even have dual boot - keeping a clean OS in case you screw up your regular installation.
    Sorry for the "ad", but I can't believe I have paid up to $600 in the past (or more if we include phones my company has provided me like the iPhone 6 Plus), when a $200-$250 phone has proved better IMHO in both hardware and software...

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
    1. Re:Strangely, cheaper = more secure in this case by Szeraax · · Score: 3, Interesting

      Based upon this post alone I am scared of those phones: http://forum.xda-developers.co...

      But I really don't have enough knowledge to know.

    2. Re:Strangely, cheaper = more secure in this case by Ecuador · · Score: 1

      Well, that post is before Xiaomi turned the default of the "data sharing to improve experience" to off (you could set it to off yourself before) and also use of free services like the Mi cloud do share your details with Xiaomi as you should expect. But, for example, Microsoft sends more data, even if you say "no" to everything according to reports. And Xiaomi releases the kernel source of their OS, which is something Microsoft and Apple don't do. So I sort of take it for granted that whatever phone I have someone will be tracking at least my IMEI, location etc. Since I am not a diplomat or something "sensitive" like that, I don't really care if the one tracking me is a US or Chinese company, corporations are equally not looking for my interests wherever they are based. In fact, historically, US companies have been shown to be very prone to sharing their data with the US government, so there is no way you can claim the Chinese ones are more dangerous because they have "stronger ties" with their government.

      --
      Violence is the last refuge of the incompetent. Polar Scope Align for iOS
  5. Silence by ChoGGi · · Score: 1

    install and change it to be the default SMS/MMS app, open settings and disable auto-retrieving media messages
    https://f-droid.org/repository...