Stagefright Patch Incomplete and Zero Day in Android Google Admin App Found 42
msm1267 writes: A patch distributed by Google for the infamous Stagefright vulnerability found in 950 million Android devices is incomplete and users remain exposed to simple attacks targeting the flaw. Researchers at Exodus Intelligence discovered the issue in one of the patches submitted by Zimperium zLabs researcher Joshua Drake. Google responded today by releasing a new patch to open source and promising to distribute it next month in a scheduled OTA update for Nexus devices and to its partners. Drake's original patch failed to account for an integer discrepancy between 32- and 64-bit, Exodus Intelligence said. By inputting a specific 64-bit value, researchers were able to bypass the patch. Exodus, which submitted a bug fix of its own to Google, said it decided to go public with its findings for several reasons, including the fact that the vulnerability was widely publicized by Zimperium before and during Black Hat, not to mention that Google has had the original bug report since April, yet neither party noticed the discrepancy in the patch. The Android security team at Google is having a busy month. Trailrunner7 writes: Researchers at MWR Labs have released information on an unpatched vulnerability that allows an attacker to bypass the Android sandbox.
Re: (Score:1)
You gotta a banana in your ear
What?
You have a banana in your ear!
Huh?
I said, YOU HAVE A BANANA IN YOUR EAR!!
What? I can't hear you! I have a banana in my ear!
Re: (Score:1)
I believe he is trying to inform you to turn your head 90 degrees and insert it in your mouth.
Re: (Score:3)
The first one can be exploited by sending an SMS to a vulnerable device, according to this report [exodusintel.com]. The fundamental flaw here is running the MPEG decoder as a trusted user. Until that changes, there will likely be a steady stream of vulnerabilities.
Re: (Score:3)
The second one is easily exploitable, but requires that an app send a malicious URL to the admin app. In other words, for it to work, you need to either install a malicious app, or have another app on your device with its own vulnerability.
You're talking about the Certifi-gate vulnerability. Another requirement for it to be exploitable is that your device has to have an exploitable remote admin tool installed by the OEM.
The first one can be exploited by sending an SMS to a vulnerable device, according to this report [exodusintel.com]. The fundamental flaw here is running the MPEG decoder as a trusted user. Until that changes, there will likely be a steady stream of vulnerabilities.
That is the stagefright vulnerability. It's exploitable on ICS and below. The patch being pushed to many OEM devices right now fixes it. Exodus is wrong about that because they're looking at only one of the patches applied. Jduck's original patch had a bug, which Google fixed. All of this is visible in AOSP.
Re: (Score:2)
My question is, has there actually mean a successful exploit of the vulnerability? From the sounds of it address space layout randomisation, present since Android 4.0, would make it very hard if not impossible to execute an exploit. Just interested in what the real threat is and not the hyped up media version.
The weak ASLR in ICS can be worked around, and jduck (finder of the bug) has demonstrated exploiting it. Exploiting it on Jelly Bean or later, which have much better ASLR, would require sending many, many malformed videos trying to randomly hit on an useful address. No one has had any success at that.
Re: (Score:2)
That's good to hear. These exploits often don't seem to be as bad as initially suggested. No big surprise there, I guess.
This Google Admin app bug doesn't seem to be a general sandbox bypass as the summary implies. It's not even a bug in Android. One app by Google to let people admin their custom Apps domains will open a URL with an embedded webview, if asked. So then perhaps the embedded web view can be used to exfiltrate files from the Admin app. But are there any sensitive files there to be stolen? The a
Android is the new Windows XP (Score:4, Informative)
It seemed for awhile several years ago that every other day there was a new nasty vulnerability in Windows XP. Some of these got exploited by nasty worms such as Blaster. Part of the issue was that Windows was designed without enough concern for security, something that really has changed in the past several years. But users also weren't installing Windows updates like they needed to, leaving them unprotected from exploits. That forced Microsoft to make some big changes in the design of Windows and to its practices in distributing updates. There are still plenty of Windows vulnerabilities, many of which are critical, but updates get distributed and installed much quicker and by a much larger proportion of the users. I'm less bothered by Android vulnerabilities being found and more concerned about how the patches get distributed. Android is a great target for criminals looking to exploit users because it has a large market share and many devices don't get updates regularly. I'd be far less bothered if I could trust that Samsung and Verizon would push out an update promptly, but that doesn't happen. I don't feel particularly vulnerable just because these security holes are being found; however, I don't trust that my Galaxy Note 4 will get an update pushed out to it in a timely manner. I'm not sure how seriously Google takes this, either, if they're going to wait until next month to release a fix. Microsoft did a lot to address the security issues with Windows. A similar thing needs to happen very soon with Android.
Re: (Score:1)
735 faster then M9? Doubt it. Highly anecdotal.
Safer? For the same reason OSX is safer - almost no-one uses it, compared to android. Larger target group makes it much more likely a exploit will be found.
And lastly, "it has almost everything you need....". Almost is the key here, almost. I has most of the most popular apps like twitter, facebook etc. But lacks the really usefull ones like parking apps, bank apps, that hot messaging app etc. List goes on.
And most criticacly - no support for either Apple softw
Re: (Score:1)
OSX is safer
That statement has not been true for more than a year now. Not with the number of vulnerabilities found in various open source libraries as well as OS X specific vulnerabilities.
Me being the one of 3 people using a Windows Phone (Score:1)
Re: (Score:2)
Why not just get a flip phone instead?
It's "just a phone" and will last a week or more without charging.
I wouldn't be surprised if flip phones outsell Windows Phone 10 by a significant margin.
Re: (Score:2)
Why not just get a flip phone instead?
Because no one makes a flip as beautiful, well-made and small-footprint as the Razr.
That atrocity by LG the other day looks like a Razr with a tacky leather cover glued on to it -- that doesn't count. That's a near copy.
After the Razr, all flips are hopelessly plasticky fragile constructions.
My Razr lasted 6 years. Longest-lived phone i've had.
Re: (Score:2)
does this mean their exploit test is flawed? (Score:2)
Exodus is wrong (Score:5, Informative)
Exodus is wrong.
The flawed patch they mention in their post isn't the one being pushed to devices. What makes this funny is that the correct patch is in AOSP, for everyone to see. What Exodus posted is the patch that jduck suggested. And it's in AOSP here [googlesource.com]. But Google further updated it with this [slashdot.org], which fixes the flaw Exodus noticed in jduck's fix.
There are still some known ways to crash libstagefright, but they're assertion crashes. They crash safely, no possibility of exploitation.
Re: (Score:2, Informative)
Prediction: On 64-bit machines GCC and clang will complain about the comparison (SIZE_MAX < chunk_size) being always false. Then some idiot will remove the code to fix the warning, thus silently breaking 32-bit builds. Alternatively, they'll disable the warning, possibly causing future logic bugs to slip through.
The better fix here would be to not use the magic variable SIZE_MAX, as its use relies on unenforced assumptions about its relationship to the type of the critical expression of interest. One wa
Re: (Score:2)
dumbphone (Score:2)
Re: (Score:1)
Hey, may be we shouldn't have computers connected to internet, because you know "Hackers"!!!
Seriously, what's with all this paranoia? Yes, mobile OS vendors have probably been lax until now, and once vulnerabilities are found, they will clean up their act, or they will be overthrown in the market by someone who does a better job. Windows used to suck, but now it's much better. I'm sure Android will get there too. That does not mean, we can give them a pass for security vulnerabilities. We should absolutely
Google... Heal Thyself (Score:3)
From the article:
The flaw was initially reported over 120 days ago to Google, which exceeds even their own 90-day disclosure deadline.
Do you remember them throwing Microsoft under the bus by releasing information about a flaw before it was patched? Yeah. Oops.
In summary, the Stagefright disclosure process was an interesting one to observe. The (un)surprising outcome being that given all the exposure this vulnerability received combined with essentially infinite resources on the vendor side, effective security mitigations were still not deployed. Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?
I don't particularly dislike Google. I use Android and several of their services. Sometimes, however, their sense of self-satisfaction can get on my nerves, especially when they demonstrate themselves capable of the same flaws as their competitors but don't seem to own up to it.
Patched in Cyanogenmod in tonight's nightlies (Score:5, Informative)
See the blog post. [cyanogenmod.org]
Re: (Score:1)