Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Android Google Security

Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices 123

msm1267 writes: Security researcher Joshua Drake today disclosed two more flaws in Stagefright, one that dates back to the first version of Android, and a second dependent vulnerability that was introduced in Android 5.0. The bugs affect more than one billion Android devices, essentially all of them in circulation. One of the vulnerabilities was found in a core Android library called libutils; it has been in the Android OS since it was first released and before there were even Android mobile devices. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities. Google has released patches into the Android Open Source Project tree, but public patches are not yet available.
This discussion has been archived. No new comments can be posted.

Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices

Comments Filter:
  • Stagefright (Score:4, Funny)

    by tripleevenfall ( 1990004 ) on Thursday October 01, 2015 @10:51AM (#50635981)

    It's always been the audience that scares me, not the stage.

  • One of the great strengths of GNU/Linux is its diversity. Like biological life, it is constantly changing, morphing and becoming something new. And also like biological life, constantly changing helps protect against "bad stuff".

    I hereby call for a "fork-fest" of Android - everybody make your own distribution of Android, remove code, add code, make it different. Android is sort of lip-service to the open source ecosystem. I'm not saying that this vulnerability is a result of that lip service, but I'd really

    • Re: (Score:3, Funny)

      by Anonymous Coward

      Yeah! Let's have loads of different new vulnerabilities to deal with. And the fragmentation of different versions of Android isn't enough, so let's add a fuckton of forked versions into the mix to spice things up.

      Inevitable that the whole will become stronger? Android (hardly forked) is wildly successful as is, Linux (heavily forked) is wildly unsuccessful on the desktop. Let's please not take Android down the path of desktop Linux.

      Jeez. It'd be less fork-fest and more bug-kakke.

      (sorry, just had to slip tha

      • by tripleevenfall ( 1990004 ) on Thursday October 01, 2015 @11:17AM (#50636127)

        Fragmentation is one of Android's weaknesses, not a strength.

        Calling for more fragmentation makes no sense. It would leave people stuck on islands where features lag behind, incompatibilities abound, and no fixes will be available for future vulnerabilities. Fragmentation makes the problem worse, not better.

        The point isn't to emulate a walled garden, nor is it to have everyone brew their own a la Linux. The point is to make the user experience close to the simplicity and compatibility of the walled garden, while still preserving the open platform.

        • The point isn't to emulate a walled garden, nor is it to have everyone brew their own a la Linux. The point is to make the user experience close to the simplicity and compatibility of the walled garden, while still preserving the open platform.

          Unfortunately, the "Curated Collection" (a/k/a "Walled Garden") approach and the "Free-for-All" (a/k/a "You asked for it") approach appear to be mutually-exclusive.

          Android tries to split the difference now as it is, by having the User have to "disable" the "Only From Play Store" download switch (or is it the other way around?) but that simply doesn't work, mainly because even very significant percentages of Play Store Apps have been found to be unsafe.

          Face it. Android's Security Model is a shambles, and

          • by Anonymous Coward

            Uhm... You know that a tens of thousands of malware / spyware apps trampled that walled garden a week or two ago, right?

            There has been a bunch of apps that should not have been allowed on the store but made it in on top of that (even though they were found useful, but that's not the point)... things like the secret flashlight tethering app a couple years ago, that security researcher who had 10-100k users download his potentially malicious command-and-control center?

            Are you seriously still believing that i

            • by macs4all ( 973270 ) on Thursday October 01, 2015 @12:18PM (#50636783)

              Uhm... You know that a tens of thousands of malware / spyware apps trampled that walled garden a week or two ago, right?

              Tens of thousands? REPUTABLE Citation, please?

              There has been a bunch of apps that should not have been allowed on the store but made it in on top of that (even though they were found useful, but that's not the point)... things like the secret flashlight tethering app a couple years ago, that security researcher who had 10-100k users download his potentially malicious command-and-control center?

              Are you seriously still believing that i things are immune to malware?

              I (and Apple) never said iOS Devices are IMMUNE from Malware; but I think that iOS' track record in that regard speaks for itself.

              Plus, I love the way that Fandroids keep harping on the VERY few examples of things slipping past (having to go back YEARS to find one or two examples of Trojans that made it through Apple's Approval Process, and blithely IGNORE the metric buttload of (also see the links in that article) malware-containing Apps [arstechnica.com] in the Android ecosystem, a good number of which are, or until recently, when Google started getting more serious about vetting Apps, were available in the Play Store.

        • And yet everyone who posts that fails to realize how different everyone else's view of a 'perfect' OS is. Fragmentation means we don't all have to be the same.

      • Yeah! Let's have loads of different new vulnerabilities to deal with. And the fragmentation of different versions of Android isn't enough, so let's add a fuckton of forked versions into the mix to spice things up.

        Inevitable that the whole will become stronger? Android (hardly forked) is wildly successful as is, Linux (heavily forked) is wildly unsuccessful on the desktop. Let's please not take Android down the path of desktop Linux.

        Jeez. It'd be less fork-fest and more bug-kakke.

        (sorry, just had to slip that one in).

        You are exactly correct, which is why none of the Fandroid-Mods will Mod you up.

      • Jeez. It'd be less fork-fest and more bug-kakke.

        Well... That's an image I didn't need...
        never gonna look at my phone the same way again...

    • That the problem android is already massively fragmented every device / carrier combo is a unique device with its own update rules

      That's why nexus devices get updates and nothing else does. The carriers won't update jack shit as that is like work.

      It is why Apple has such high new is and security update rates. They told the carriers to fsck off.

      • by tripleevenfall ( 1990004 ) on Thursday October 01, 2015 @11:18AM (#50636139)

        The carriers are only going to do the minimum for each device. Why would they invest development time in a device that isn't for sale anymore?

        • by mwvdlee ( 775178 )

          A sense of moral responsibility?

          Nah, I'm just kidding! :)

          • by Anonymous Coward

            A sense of moral responsibility?

            Nah, I'm just kidding! :)

            Now that made me laugh. It's sad that the idea of moral responsibility for a corporation is so absurd.

            • Not necessarily for corporations, but definitely for telcos.

              They've had no sense of moral responsibility since telegraphs were in use.

        • The carriers are only going to do the minimum for each device. Why would they invest development time in a device that isn't for sale anymore?

          Um, because Apple does?

          • The problem is phones sold by the carrier, which are then customised. Apple doesn't allow this kind of customisation, so there's no reason for the carrier to the anywhere on the upgrade path. Most Android vendors do, which means that you have to get the firmware upgrades from them, rather than the manufacturer. If you buy one directly, then manufacturers vary wildly (and so do devices from the same manufacturer) in how timely they are in pushing updates. And they're all pretty bad, so there's no much in
            • The problem is phones sold by the carrier, which are then customised. Apple doesn't allow this kind of customisation, so there's no reason for the carrier to the anywhere on the upgrade path. Most Android vendors do, which means that you have to get the firmware upgrades from them, rather than the manufacturer. If you buy one directly, then manufacturers vary wildly (and so do devices from the same manufacturer) in how timely they are in pushing updates. And they're all pretty bad, so there's no much incentive to compete.

              Thanks Captain Obvious.

              So, since you have (correctly) identified the problem, why hasn't Google fixed it?

              • Probably market dynamics. Google doesn't have relationships directly with carriers except for with the Nexus devices. The carriers deal with the OEMs, and the OEMs deal with Google. Google has all the muscle, and none of the standing to get it done. The OEMs have none of the muscle, but all of the standing.

                As Apple plays both the part of Google and OEM in their ecosystem, they have both the muscle and standing.

                • Probably market dynamics. Google doesn't have relationships directly with carriers except for with the Nexus devices. The carriers deal with the OEMs, and the OEMs deal with Google. Google has all the muscle, and none of the standing to get it done. The OEMs have none of the muscle, but all of the standing.

                  As Apple plays both the part of Google and OEM in their ecosystem, they have both the muscle and standing.

                  I agree that Google let the horse out of the barn in the beginning; but maybe the OEMs, if not the Carriers, will change their tune if enough migration away from Android happens.

                  It that world, even a 1% migration amounts to hundreds of thousands, if not a few million, lost sales.

              • Re: (Score:2, Troll)

                I continue to hate on google.

                a friend convinced me to try a 'new' android phone (older used one but a few gens back so its now affordable). my one and only android, the N1, is stuck at 2.2 or something equally ancient and I'm tired of that being such a POS.

                refurb phone came with 4.4. I rooted it (lg g2) and installed twrp recovery (not easy at all, for some reason) and then a custom rom based on 4.4, supposedly with lots of fixes.

                I then find out that vpn is broken (by design) in ALL 4.4 codebases. everyo

                • Re: (Score:2, Informative)

                  by swv3752 ( 187722 )

                  Unless you bought a Nexus device, most of the issues you mention are the fault of the Vendors and the carriers, not Google.

                  • by TheGratefulNet ( 143330 ) on Thursday October 01, 2015 @01:25PM (#50637375)

                    google designed a faulty os, their update model is broken, their fragmentation is a nightmare and the fact that they broke vpn's for ALL of 4.4 is NOT a carrier issue, my friend!

                    I love to blame carriers, too; but vpn api being broken for a year and NOT BEING FIXED is a carrier issue to you? how in the world is that their fault when google, themselves, abandoned 4.4 for key bugfixes?

                    I'm supposed to jump on 5.0 and not expect MAJOR bugs to be fixed in just a few versions back; a still-current version for most people??

                    google owns this one. sorry if that goes against your narrative but vpns being broken in a whole version and never being fixed is a huge slap in the face.

                  • When there is a security vulnerability found on Windows, I can download the patch without waiting for Dell no matter how much crapware Dell installs.

          • There's no one standing between an iPhone user and Apple disrupting the process. The user's phone is connected directly to the vendor, who can push updates to it without interference.

            As a result, a user who bought an iPhone 4S in 2011 is still on the latest and greatest today. Someone who bought a Galaxy S2 in 2011 was left at Jelly Bean.

      • by Lumpy ( 12016 )

        I so wish that the next version of android that google tells carriers to fuck off.
        I am so done with the baked in crap from HTC/Samsung/etc and the deviation from pure android get's so bad that some like HTC confuses some people.

        New version require it to be pure with NO apps baked in and permanent or they cant advertise or use the name "android" in any way. It will force them all overnight to stop it. They also need to force them to push out updates 15 days after google does or lose the rights across all

        • It will also force them to find a new platform.

          Do you thing either the OEMs or the carriers are going to stop doing this?

          Brand differentiation, monetization, vendor lock in ... all of these things say these companies have no interest in selling a vanilla version of Android. What's in it for them? Samsung has their own store, their own apps and ecosystem, and want people locked into Samsung.

          I agree with the sentiment, but if you think it'll happen you're kidding yourself.

          • by Lumpy ( 12016 )

            No it wont. You seem to not understand consumer demand.....

            Want an example? sure!

            Look at any phone running a Microsoft OS.

        • I so wish that the next version of android that google tells carriers to fuck off. I am so done with the baked in crap from HTC/Samsung/etc and the deviation from pure android get's so bad that some like HTC confuses some people.

          New version require it to be pure with NO apps baked in and permanent or they cant advertise or use the name "android" in any way. It will force them all overnight to stop it. They also need to force them to push out updates 15 days after google does or lose the rights across all products.

          Apple did it. What's Google's problem?

          Does anyone here even SLIGHTLY believe that Google doesn't have as much negotiating leverage as Apple?

          • Does anyone here even SLIGHTLY believe that Google doesn't have as much negotiating leverage as Apple?

            Holy crap yes.

            Apple sells phones directly to users for the carriers.

            Google sells an OS to the phone manufacturers who customize who then sell it to the carriers who customize it some more who then sell it to the users.

            Google can't do shit to that chain. Mindbogglingly, it's actually what they wanted.

            • Google sells an OS to the phone manufacturers who customize who then sell it to the carriers who customize it some more who then sell it to the users.
              Google can't do shit to that chain. Mindbogglingly, it's actually what they wanted.

              Microsoft sells an OS to computer manufacturers who customize it and they sometimes sell them to resellers who further customize it (i.e. Best Buy). Guess what? When Microsoft provides a security update, I don't wait on Dell or Best Buy for the patch.

              When MS releases a new OS, t

              • Google chose a different route than Apple or Microsoft. The worst of both worlds, if you will.

                That's entirely on Google.

        • I so wish that the next version of android that google tells carriers to fuck off. I am so done with the baked in crap from HTC/Samsung/etc and the deviation from pure android get's so bad that some like HTC confuses some people.

          Are you complaining about carriers or manufacturers? Google can't tell manufacturers (HTC/Samsung/etc) to fuck off, because they're the ones that build the device. There are already fairly strict restrictions on what you can do if you want to include the Play store (i.e. you have to install all of the other Google crap), which is what's pushing Samsung to fork Android, but the core open source OS is... open source.

          The manufacturers, on the other hand, could tell the carriers to fuck off, and not provide

      • My M8 is running Android 5.0.1, not the latest, but not what it was born with (4.4.2).

        Lots of phones get updates, but lots of lower performance phones do not, for obvious reasons. And unpopular phones ditto.

        The carriers do abandon phones regularly, but not universally.

      • It's OK the market will fix it.

    • by mwvdlee ( 775178 )

      And how exactly does this solve the problem of hardware manufacturers not updating locked firmware?

      • And how exactly does this solve the problem of hardware manufacturers not updating locked firmware?

        Do you really think that the OEMs don't have the "magic key" that unlocks the unlockable?

        Because if not, and they REALLY have to get out the JTAG programmer and open up each and every phone, then those OEMs should be taken out back, stripped, and introduced to goatse...

        • Because if not, and they REALLY have to get out the JTAG programmer and open up each and every phone, then those OEMs should be taken out back, stripped, and introduced to goatse...

          Tell you what.

          You do whatever you can to fulfill this entertaining bit of justice. And the wireless companies will spend a small portion of their significant wealth to buy whatever it takes to prevent the occurrence of this. Which one wins?

          Yeah, in a just world, Android users wouldn't be held captive by wireless providers that

          • The reality on the ground is this: a large subset of the > 1 billion current Android devices will never be free of this vulnerability. And that's ok by the manufacturers and network providers, because it's a market opportunity.

            And it's ok by Apple, too; who are beginning to see the record-breaking hordes of jaded Android users migrate back to the relative safety (and definitely better upgrade policy!) of iOS.

    • Fragmentation isn't the problem. Even if somebody built a secure fork who would adopt it? Not Google. Not Samsung. Android is fundamentally built without security in mind. This is just the beginning of the Android flaws, they could be coming for years. It needs a complete audit and overhaul. Jezus now I have to fork over almost a grand to Apple so I can do my job safely!

    • One of the great strengths of GNU/Linux is its diversity. Like biological life, it is constantly changing, morphing and becoming something new. And also like biological life, constantly changing helps protect against "bad stuff".

      You're confusing evolution with Intelligent Design. Constantly changing, even randomly, is a valid way to outwit a slowly evolving creature -- but for software, it means constantly risking the introduction of new flaws. In biology, just about any change means the enemy has to slowly evolve to take advantage of it -- but for software, you face intelligent attackers. Software has an advantage compared to biology -- well-made software provides an impermeable defense, that can't be breached unless you convince

    • Software isn't food and it isn't alive. Forking is a terrible idea. Phone carriers would never let forks run on their networks, knowingly, for various reasons. Also forking Android doesn't mean the flaws would all suddenly go away. What if the flaw was in a base part of the code? Other flaws could be introduced as well. All you're doing is spreading the risk, not fixing the problem.
    • Fragmentation is why Google is going to have a hard time containing these vulnerabilities. The number of phones that will never be fixed is shockingly high.

  • It's unfortunate that Google gave away so much control of Android. This means pretty much all Android devices are vulnerable, and unless the user has the skill and ability to install a non-vendor version of Android (eg: cyanogenmod), then these people are screwed.

    Most android device manufacturers can't be bothered to release updates for their devices, and even when they do, you may still get railroaded by the carrier, leaving a very large number of devices vulnerable to who knows how many exploits. Of cou

    • It's unfortunate that Google gave away so much control of Android. This means pretty much all Android devices are vulnerable, and unless the user has the skill and ability to install a non-vendor version of Android (eg: cyanogenmod), then these people are screwed.

      No, what's "unfortunate" (actually bordering on criminal negligence) is Google not AMENDING their OEM and Carrier Policies to be more in line with Apple's.

      The ONLY explanation at this point is that Google simply doesn't care about what happens to its Users, so long as the Click Revenue and Data Mining is running full-tilt-boogie.

  • How do I inform Verizon and Motorola that I won't buy an android phone from them EVER AGAIN until they start supporting their products with security patches?

    My phone STILL hasn't been patched from the first stagefright vulnerability. I've disabled functionality on the phone in order to protect it.

    I'm downright upset about the lack of security fixes from Motorola/Verizon.

    Seriously, how do I let those two corporations know in an effective way that they'll NEVER get another phone purchase from me until they've changed their do-nothing security practices? Not one penny!

    • by gstoddart ( 321705 ) on Thursday October 01, 2015 @11:23AM (#50636171) Homepage

      Well ... you could picket naked outside of their offices ... you could post a stern comment on Slashdot ... you could send a stern letter to their customer service ... or you could simply not buy them.

      Except the first one, which might get you some media coverage, the remainder will all have the exact same result ... nobody will give a crap.

      Don't get me wrong, I agree with you. But one lone consumer saying they won't buy the product? Sorry, but the net result of that is precisely nil ... corporations don't care about one individual, and unless a very large amount of customers do something very vocal, nothing at all will happen.

      And those "market solutions" everybody talks about? They don't happen either, because consumers fail to care, or nobody builds the competing version and sells it in order for people to choose it.

      So, your only real solution? Buy a Nexus device. Those are the ones which always get updates. Pretty much every proprietary version will get support until the manufacturer moves on to the next model.

      • So, your only real solution? Buy a Nexus device. Those are the ones which always get updates. Pretty much every proprietary version will get support until the manufacturer moves on to the next model.

        That's not your ONLY solution...

        And iOS almost always reaches several models back with Updates. And if they are critical Updates, sometimes even further back than usual.

        • That's not your ONLY solution...

          GP talks about Android, story is about Android ... and you spout off about iOS.

          Sorry, thanks for playing ... here's a lovely parting gift.

          Look, I have both Android and iOS devices. But, honestly, randomly saying "yarg, use teh Apple" is kind of pointless here.

          And, quite frankly, having had Apple upgrade my original iPad to the point of uselessness and then abandon it, I'm not willing to update my iPod touch ... because I no longer trust Apple to not fuck up my device and the

          • GP talks about a mobile devices operating system, story is about a mobile device operating system ... and this guy dares spout off about an OS for a mobile device. THE NERVE.
    • by Lumpy ( 12016 )

      Easy, stop buying phones from them and only buy from play.google.com

      • Easy, stop buying phones from them and only buy from play.google.com

        Has Google added any non-basic phones yet? I only have four requirements and I'd buy pretty much any phone that had them:
        1) MicroSD slot (swap cards as needed)
        2) removable battery (security)
        3) unlocked bootloader (load useful software)
        4) will activate on the VZW network (geography)

        Everything else about the phones are common enough today that I don't even care. I haven't found a single one so far that passes this basic test. Prove me wron

        • I also valued the sd card and swappable battery. it was hard for me to convert over to an lg g2 (at a friend's request). the sd card this is not hard to deal with; a $10 OTG adapter gives you usbstick access or even micro-sd. it sticks out (dongle) but its not horrible.

          battery wise, my phone can take new batteries but its a huge issue to open the phone and dig out so many things. the batt is not soldered it, but its pretty deep inside. still, a batt change would be needed every 2 years or so and when t

    • You don't. Verizon just does whatever the hell they want to do.

      Though if a stagefright vulnerability made it into the wild and started bringing down Verizon's wireless infrastructure...that might trigger a reaction. Hard to say though, because the affected customers would get a high data bill, which Verizon would love. Though if they can demonstrate in a civil court that a Verizon brand phone operating within Verizons own parameters is misbehaving due to somebody the customer has no relationship to taking n

    • You need to find the appropriate product manager, and inform them.
      There are people whose job it is to figure out what people want. You need to find those people and communicate with them.
    • by nnull ( 1148259 )
      Don't forget Samsung as well who still to this date haven't really done anything with Stagefright. And Google still hasn't really completely patched against it for how long now? These phones are starting to be worse than Windows 98 full of malware and spyware.
    • Send them a comically large postcard stating this fact, take pictures as you go to mail it and post them to their corporate Twitter/Facebook/whatever.
      The text on the comically large postcard should be sarcastic and ironic. Dress it up to be like a giant check those prize patrol vans hand out. Use words and phrases like "Congratulations!" or "You have been selected to never get any of my money!" or "1,000,000,000 Devices Vulnerable!".

      The tech tabloids and "news" aggregators will pick it up and the "story"

    • Answer: class action lawsuit.

    • While the process to buy one is kind of a pain until the company figures out their manufacture and supply issues, look at OnePlus for your next phone. The phones are not tied to any carrier, you own them outright and they sell them dirt cheap for very low margins (hence the complete lack of spare inventory standing by for you to purchase). I have a OnePlus One that is almost a year old and it's currently running Android 5.1.1 (shipped with 4.4.4 I think) plus Cyanogenmod. The current phones are running t

    • by b0bby ( 201198 )

      Motorola seems ok to me - I have an unlocked 2013 Moto X and got a Stagefright update a couple of weeks ago.
      I try to avoid Verizon if I can anyway.

    • Well you could take the fight club approach and blow up their HQ offices while having a plane flying by raining down leaflets telling them why it got blown up. That would probably get their attention.
    • What Moto phone do you have anyway? The OG Moto X recently got the fix along the with the Lollipop update and the Moto Droid Turbo just began soak tests today so it is probably coming to everyone within a week or two.

      I am a Computer Systems Engineer and an Android developer as well as the proud owner of an OG Moto X DE, and I was utterly unconcerned about the 1st Stagefright vulnerability because of ASLR protection. With Stagefright 2.0 they claim they can get around ASLR, but this has yet to be proven by

    • My phone STILL hasn't been patched from the first stagefright vulnerability. I've disabled functionality on the phone in order to protect it.

      Protect it from what? If your phone was made in the past 3 years it likely has a version of Android that implements ASLR which severely limits what arbitrary code execution can do on a device. This is espeically important given the insane fragmentation of Android which makes all but the most targeted of attacks quite useless and even then they are very difficult. End result is that no one has been able to show that Stagefright is being actively exploited in the wild.

      This has all been a very big yawn, and I

    • I need access to Verizon towers because it is the only signal that I can get at work.

      I first signed up with Page Plus Cellular, then moved to Tracfone after the America Movil buyout. I finally upgraded to a 4g device six months ago.

      I can't run cyanogenmod because of Verizon's fascist bootloader locking. I do run an alternate touchwiz rom, and I have purged everything from it that mentioned Verizon.

      And when Verzion shows up in my Facebook feed, I ask them why they lock their bootloaders and FORCE their users

    • Seriously just buy a damned blackberry.. I've been using my z10 for three years now and have no real interest in upgrading it. Sure a better camera could be nice but it runs smooth as butter, has amazing battery life, I can side-load most android apps (I don't really need to though), has the best messaging platform (the hub) bar none, the best multi-tasking capabilities out there, and best of all.. I don't have to worry about this constant drumroll of security flaws found in android and iOS.
  • The fact that these and the previous Stagefright bugs and others like them will never be fixed on most of the affected handsets, along with other nice things I'm hearing about the newer iPhones have me contemplating something that a year ago would have been anathema.

    I may actually end up switching to an iPhone this fall instead of a new Android phone.

    That may depend on some other things like root availability and CyanogenMod planning for possible handsets, but even with those a lot of the nice things on And
  • Stagefright 1.0, however, was exploited via a specially crafted MMS message which were at the time automatically processed by Stagefright. Google’s patch means Stagefright no longer does so, especially in new versions of Google’s Messenger and Hangouts apps. With Stagefright 2.0, Avraham said the most logical attack vector would be the mobile browser where an attacker tricks the victim via phishing or malvertising to visit a URL hosting the exploit. An attacker could also inject the exploit via

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...