Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Android Google Security

Stagefright Patch Incomplete and Zero Day in Android Google Admin App Found 42

msm1267 writes: A patch distributed by Google for the infamous Stagefright vulnerability found in 950 million Android devices is incomplete and users remain exposed to simple attacks targeting the flaw. Researchers at Exodus Intelligence discovered the issue in one of the patches submitted by Zimperium zLabs researcher Joshua Drake. Google responded today by releasing a new patch to open source and promising to distribute it next month in a scheduled OTA update for Nexus devices and to its partners. Drake's original patch failed to account for an integer discrepancy between 32- and 64-bit, Exodus Intelligence said. By inputting a specific 64-bit value, researchers were able to bypass the patch. Exodus, which submitted a bug fix of its own to Google, said it decided to go public with its findings for several reasons, including the fact that the vulnerability was widely publicized by Zimperium before and during Black Hat, not to mention that Google has had the original bug report since April, yet neither party noticed the discrepancy in the patch. The Android security team at Google is having a busy month. Trailrunner7 writes: Researchers at MWR Labs have released information on an unpatched vulnerability that allows an attacker to bypass the Android sandbox.
This discussion has been archived. No new comments can be posted.

Stagefright Patch Incomplete and Zero Day in Android Google Admin App Found

Comments Filter:
  • by Anonymous Coward on Thursday August 13, 2015 @06:30PM (#50312893)

    It seemed for awhile several years ago that every other day there was a new nasty vulnerability in Windows XP. Some of these got exploited by nasty worms such as Blaster. Part of the issue was that Windows was designed without enough concern for security, something that really has changed in the past several years. But users also weren't installing Windows updates like they needed to, leaving them unprotected from exploits. That forced Microsoft to make some big changes in the design of Windows and to its practices in distributing updates. There are still plenty of Windows vulnerabilities, many of which are critical, but updates get distributed and installed much quicker and by a much larger proportion of the users. I'm less bothered by Android vulnerabilities being found and more concerned about how the patches get distributed. Android is a great target for criminals looking to exploit users because it has a large market share and many devices don't get updates regularly. I'd be far less bothered if I could trust that Samsung and Verizon would push out an update promptly, but that doesn't happen. I don't feel particularly vulnerable just because these security holes are being found; however, I don't trust that my Galaxy Note 4 will get an update pushed out to it in a timely manner. I'm not sure how seriously Google takes this, either, if they're going to wait until next month to release a fix. Microsoft did a lot to address the security issues with Windows. A similar thing needs to happen very soon with Android.

  • Actually can feel a little smug right now. My 30 dollar Lumia 520 running Windows 10 works great and since there aren't really any apps for it I don't have to worry about these apps messing with my phone being a well.. a phone.
    • Why not just get a flip phone instead?

      It's "just a phone" and will last a week or more without charging.

      I wouldn't be surprised if flip phones outsell Windows Phone 10 by a significant margin.

      • Why not just get a flip phone instead?

        Because no one makes a flip as beautiful, well-made and small-footprint as the Razr.

        That atrocity by LG the other day looks like a Razr with a tacky leather cover glued on to it -- that doesn't count. That's a near copy.

        After the Razr, all flips are hopelessly plasticky fragile constructions.

        My Razr lasted 6 years. Longest-lived phone i've had.

      • I miss my Nokia 6162. Dropped it in the middle of winter. Found it after spring thaw. Got a Motorola v60i that I only replaced cause they turned off the old cell network. They felt so bad for me, they gave me a new phone free (not the free carrier phone).
  • In other words, since it is testing for a flaw, because it is based on a flawed requirement, is it reporting a false pass? :)
  • Exodus is wrong (Score:5, Informative)

    by swillden ( 191260 ) <shawn-ds@willden.org> on Thursday August 13, 2015 @07:31PM (#50313157) Journal

    Exodus is wrong.

    The flawed patch they mention in their post isn't the one being pushed to devices. What makes this funny is that the correct patch is in AOSP, for everyone to see. What Exodus posted is the patch that jduck suggested. And it's in AOSP here [googlesource.com]. But Google further updated it with this [slashdot.org], which fixes the flaw Exodus noticed in jduck's fix.

    There are still some known ways to crash libstagefright, but they're assertion crashes. They crash safely, no possibility of exploitation.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Prediction: On 64-bit machines GCC and clang will complain about the comparison (SIZE_MAX < chunk_size) being always false. Then some idiot will remove the code to fix the warning, thus silently breaking 32-bit builds. Alternatively, they'll disable the warning, possibly causing future logic bugs to slip through.

      The better fix here would be to not use the magic variable SIZE_MAX, as its use relies on unenforced assumptions about its relationship to the type of the critical expression of interest. One wa

  • With all the downsides maybe it's dumb to have a smart phone. I know that people would be missing out on all those important facebook posts though.
    • Hey, may be we shouldn't have computers connected to internet, because you know "Hackers"!!!

      Seriously, what's with all this paranoia? Yes, mobile OS vendors have probably been lax until now, and once vulnerabilities are found, they will clean up their act, or they will be overthrown in the market by someone who does a better job. Windows used to suck, but now it's much better. I'm sure Android will get there too. That does not mean, we can give them a pass for security vulnerabilities. We should absolutely

  • by Dutch Gun ( 899105 ) on Thursday August 13, 2015 @07:49PM (#50313271)

    From the article:

    The flaw was initially reported over 120 days ago to Google, which exceeds even their own 90-day disclosure deadline.

    Do you remember them throwing Microsoft under the bus by releasing information about a flaw before it was patched? Yeah. Oops.

    In summary, the Stagefright disclosure process was an interesting one to observe. The (un)surprising outcome being that given all the exposure this vulnerability received combined with essentially infinite resources on the vendor side, effective security mitigations were still not deployed. Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?

    I don't particularly dislike Google. I use Android and several of their services. Sometimes, however, their sense of self-satisfaction can get on my nerves, especially when they demonstrate themselves capable of the same flaws as their competitors but don't seem to own up to it.

  • by the_humeister ( 922869 ) on Thursday August 13, 2015 @07:57PM (#50313305)

    See the blog post. [cyanogenmod.org]

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...