Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Rebuilt the Android Media Stack To Prevent Another Stagefright

Posted by msmash on from the security-woes dept.

Reader Trailrunner7 writes: Android Nougat is bringing with it a slew of security improvements, many of them under the covers, and the one that likely will have the biggest long-term effect is the major rebuilding effort Google undertook on the media stack. That component of the operating system is meant to process audio and video, and it's been a weak spot in Android. The media stack includes the mediaserver process, which is used by a number of apps on Android devices. Researcher Josh Drake last year discovered a critical vulnerability in the libstagefright function in the media stack, which could allow an attacker to get complete control of a target device by sending a malicious MMS message. The Stagefright vulnerability is among the more widespread and dangerous flaws to affect Android, and though Google patched it last year, the company decided to take a more systemic approach to the problem in Nougat. Rather than addressing vulnerabilities on a case by case basis, Google implemented technologies to prevent a large group of bugs.

3 of 50 comments (clear)

  1. So, are they lying or stupid? by bistromath007 · · Score: 2

    By my understanding, devices they aren't putting Nougat on, like the Nexus 5, are still supposed to get security updates. This seems to be a major security update. So, rather than just put Nougat on the Nexus 5, which they easily could with its hardware, they've committed to individually patching a category of bug that they just put a bunch of work into not having to individually patch. Or is my phone continuing to get security updates a lie?

    1. Re:So, are they lying or stupid? by bluefoxlucid · · Score: 2

      This is an architectural change, not a patch for a security vulnerability. It doesn't remove a vulnerability; it changes the nature of a type of theoretical vulnerabilities.

      Your argument is akin to claiming a company's new product has major new safety features, and thus that they are compelled to perform a safety recall on unsafe defects in prior products which don't have said features. Suddenly all cars made before a certain year must be recalled because they don't have airbags or antilock brakes and are thus defective.

      --
      Support my political activism on Patreon.
  2. Re:Read as: Google fails to patch Stagefright by EndlessNameless · · Score: 4, Interesting

    Rearchitecting a product so that it is inherently less vulnerable is exactly what every software developer should be doing.

    Taking a stab at Google over this is something only an idiot would do.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.