Google Patches More Stagefright Vulnerabilities In Android (threatpost.com) 56
msm1267 writes: The Stagefright vulnerabilities are the gifts that keep on giving. Months after the potentially devastating security flaws in the mobile OS were publicly disclosed, Google continues to send out patches addressing vulnerabilities related to the initial reports. Today's monthly Android security bulletin includes a fix for another flaw in the Stagefright media playback engine, one in libutils where the Stagefright 2.0 vulnerabilities were found, and two in Android Mediaserver where all the vulnerable code runs. The over-the-air update was released today to Google's Nexus devices and will be added to the Android Open Source Project (AOSP) repository in the next two days; Google partners including Samsung were provided the patches on Oct. 5, Google said, adding that the vulnerabilities are patched in Build LMY48X or later, or in Android Marshmallow with a patch level of Nov. 1.
And carriers like Verizoned are where? (Score:2, Insightful)
And how many months if EVER will Verizon and carriers send out these updates? I'm still waiting for the last 3 patches that they haven't done shit about.
Re: (Score:3)
Re:And carriers like Verizoned are where? (Score:5, Insightful)
Re: (Score:2)
Even though there seem to be a fair amount of vulnerabilities and Android is the leading platform for most, if not all of the world, there really haven't been any huge exploits or massive attacks similar to what we saw back in the heyday of Windows and any large outbreaks that have occurred seem mos
Re: (Score:1)
Until there's an actual wide-scale exploit that hits vulnerable users, the carriers aren't going to care. They'd rather sell you a new phone and contract than keep supporting old devices that are off contract. Even though there seem to be a fair amount of vulnerabilities and Android is the leading platform for most, if not all of the world, there really haven't been any huge exploits or massive attacks similar to what we saw back in the heyday of Windows and any large outbreaks that have occurred seem mostly limited to China.
Pray tell, how can you KNOW that your personal data hasn't been siphoned off your Android (besides leaving it "off" in the drawer, or in "Airplane Mode")?
Unlike in the 90s, pretty much ALL exploits want to do is suck down your personal data, not delete it. The former is fairly hard for the average person to discover, until it's far, far too late...
Nexus not the first? (Score:2)
Is this the same patch Motorola release the other week for Moto X 2014 devices? It said it was a fix for some Stagefright vulnerabilities
Re: (Score:2)
The best scanner I've seen so far for previous versions of Stagefright vulnerabilities is this one [google.com].
Re: (Score:1)
Or is it that no one wants to advertise this basic fact because they don't want people to root devices? Obviously if the fix is that simple and straightforward on rooted devices, it screams against the propaganda they want to force everyone to think.
Re: (Score:2)
Re: (Score:1)
Wouldn't it be the case that, for people with rooted devices, patching the vulnerability would be as simple as copying a couple library files into /system/lib or somewhere?
So what about the other 99.999999999999999999999999999% of Android users that wouldn't know how to Root their phone, or even what that means, if their lives literally depended on it?
Re: (Score:1)
Google programmers need to read the book (Score:2)
They can do much better at avoiding bugs than they are now.
Re: (Score:2)
I was about to write a disparaging remark before reading the reviews. The author's page also has lots of relevant info.
Re:Google programmers need to read the book (Score:4, Interesting)
I might have purchased a copy of that book if there was actually an e-book version of it.
Anyhow, it's important to point out that security bugs aren't exactly like typical bugs. You can't test for security using unit tests... it's something that needs to happen in an audit. You need to be actively searching for ways to break code, and you need to know the techniques with which this is usually done. Most programmers are not trained how to do this. Do you think anyone actually tried to fuzz-test this library? I wonder.
Allowing a multimedia library to play downloaded, untrusted content as elevated privileges is a pretty obvious problem in hindsight. We've seen flaws in many other internet-facing multimedia rendering or playback libraries before. libstagefright is now going to undergo some intense scrutiny by both hackers and security firms alike - I'd be surprised if this is the last we hear of this.
Re: (Score:2)
Anyhow, it's important to point out that security bugs aren't exactly like typical bugs. You can't test for security using unit tests
Security in general is hard, but we're seeing a lot of basic errors that shouldn't be happening. In some cases, if Google had merely read the warning output from the compiler, they would have found bugs.
Once people start even thinking about security, then we can move onto higher techniques, like proofs and contracts, to remove even more bugs.
Do you think anyone actually tried to fuzz-test this library? I wonder.
I seriously doubt it originally, but it looks like Google has some people trying that sort of thing now.
Re: (Score:2)
Compiler warnings wouldn't have helped in the case of stagefright bugs (looking at a few patches). Even cppcheck was silent.
As for fuzzing, Google made its own fuzzers: bunny-the-fuzzer followed by american-fuzzy-lop. The first one was started in 2007, at about the same time Android 1.0 came out. So Google was obviously no stranger to the concept of fuzz-testing.
Why did the bugs slipped by? One can only guess. Maybe the stagefright team was a bit rushed and didn't do all formal testing required, maybe the b
Re: (Score:3)
I don't doubt that dealing with all the various ghastly corner cases in codecs and container formats was deeply unpleasant; but it is worrisome that priority was apparently given to avoiding the appearance of failure, rather than really clamping down on what such a dangerously un
Re: (Score:2)
As for fuzzing, Google made its own fuzzers: bunny-the-fuzzer followed by american-fuzzy-lop. The first one was started in 2007, at about the same time Android 1.0 came out. So Google was obviously no stranger to the concept of fuzz-testing.
I'm sure they know it exists lol.......the question is, why have they sucked it up so much? My theory is that security isn't something that can be 'added' or fixed in a later stage. It's something programmers need to be thinking about right from the beginning (and obviously they failed miserably in this case).
Re: (Score:2)
here's another set (Score:1)
Re: (Score:2)
What does Google App Engine have to do with Android?
The exploits there are from the Oracle HotSpot JVM, which doesn't run on Android phones.
Re: (Score:2)
Update status will drive my next phone purchase (Score:5, Insightful)
I have a 2.5 year old phone that I otherwise love [engadget.com] and while it's EOL, I still use it extensively.
The idea that a phone can be not even 3 years old and not have any hope of getting updates is something I balk STRONGLY at.
Re: (Score:3)
I'm not sure why so many Android users find this to be acceptable. Imagine requiring Dell's permission to install a new version of Windows. That's how Android works, BY DESIGN.
Apple does this right (Score:3, Insightful)
Not sure you are following the analogy, because the original complaint is that you need the carriers permission to install an update from Google.
Meanwhile Apple is supporting devices around four years old with updates, no matter what carrier you have.
Re: (Score:1)
Meanwhile Apple is supporting devices around four years old with updates, no matter what carrier you have.
Meanwhile Apple does not even allow you to install apps that aren't from the app store.
Re: (Score:3)
Re: (Score:1)
Boy, was THAT hard. Took longer to prune the URL of it's unnecessary tracking bullshit than to do the search.
Re: (Score:1)
In Europe, or at least here in the Netherlands, most phones are technically not carrier-dependent (except a few simlocked/branded phones, which you can choose not to buy), the carrier only controls the SIM.
Despite that, the problem remains that Android _OEMs_ don't update older phones.
Like the Moto E, released last february, which won't get Android 6.0. Which is entirely due to Motorola choosing not to.
Google then is applauded for supporting Nexuses for 3 years. Yeah, great, but still way too short. Because
Re: (Score:2)
Re: (Score:2)
Yes, Google can approve their own updates, the rest of the manufacturers and carriers remain as bottlenecks.
Re: (Score:2)
Re: (Score:2)
I wasn't referring to Google approving their own updates. I was referring to the Nexus series allowing users to update their own phones. You don't need Google's permission to do so.
Nexus is Google's own phone. That's why you get those updates.
Re: (Score:2)
Re: (Score:2)
Do you understand that Nexus is Google's own phone? You need to because that's the reason you can find only one exception.
Re: (Score:2)
Re: (Score:2)
Heh. Ah, man. That's funny. Okay, here we go:
"Exception"? Do you even understand the words you're writing? You're arguing the Nexus series is an "Exception" to the concept that Android is "designed" to disallow upgrades?
Yes. That's exactly what I'm saying. The Nexus phones are not proof that Android isn't designed that way, they're proof that it is! Nexus phones are produced for Google. They are Google's phones. They are to Google what iPhone is to Apple. Android is to Google what iOS is to Apple. Google can update their own phones to the latest Android because the OS and the Nexus phones are theirs. They're not some random manufacturer producing their own phones
Re: (Score:3)
Or the FCC / FTC could actually do their fucking job to protect consumers from pricks that s
Re: (Score:1)
I have a 2.5 year old phone that I otherwise love [engadget.com] and while it's EOL, I still use it extensively.
The idea that a phone can be not even 3 years old and not have any hope of getting updates is something I balk STRONGLY at.
I have a solution for that [apple.com]...
Very bogus! (Score:1)
So now I have to buy a new phone? Why don't they just make the damn things disintegrate (biodegradable) after two years? Bastards!
It doesn't work (Score:4, Insightful)
Google should admit there is a problem in Android's model of getting updates and do something about it.
It is not just code.
If they don't care because Android is doing well in terms of market share etc, they should read comments & stories about Nokia Symbian. Developers, users, authors were telling them everything which were wrong and they were laughing at them showing their massive marketshare. Now, their own Google Keyboard didn't autocomplete Symbian, it is that irrelevant.
Re: It doesn't work (Score:2)
Built on unfuckable Linux and solid java (Score:1)
Nothing penetrates Linux android. I read this on /. all the time. Everyone knows java/dalvik is "the 'bestest' safest language" that makes bug free code too! Now, I am going to read the article - wtf? Oops. Guess all of /. is at fault for all your years of linux is secure no other OS is. I blame you fucking liars for feeding me that shit.