Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Google Android Security

Google Patches More Stagefright Vulnerabilities In Android (threatpost.com) 56

msm1267 writes: The Stagefright vulnerabilities are the gifts that keep on giving. Months after the potentially devastating security flaws in the mobile OS were publicly disclosed, Google continues to send out patches addressing vulnerabilities related to the initial reports. Today's monthly Android security bulletin includes a fix for another flaw in the Stagefright media playback engine, one in libutils where the Stagefright 2.0 vulnerabilities were found, and two in Android Mediaserver where all the vulnerable code runs. The over-the-air update was released today to Google's Nexus devices and will be added to the Android Open Source Project (AOSP) repository in the next two days; Google partners including Samsung were provided the patches on Oct. 5, Google said, adding that the vulnerabilities are patched in Build LMY48X or later, or in Android Marshmallow with a patch level of Nov. 1.
This discussion has been archived. No new comments can be posted.

Google Patches More Stagefright Vulnerabilities In Android

Comments Filter:
  • by Anonymous Coward

    And how many months if EVER will Verizon and carriers send out these updates? I'm still waiting for the last 3 patches that they haven't done shit about.

    • I'm in the same boat with AT&T and a year old S5 Active. But I can tell you this, I regularly get samsung security updates to ensure I'm not doing anything naughty to my phone.
    • Until there's an actual wide-scale exploit that hits vulnerable users, the carriers aren't going to care. They'd rather sell you a new phone and contract than keep supporting old devices that are off contract.

      Even though there seem to be a fair amount of vulnerabilities and Android is the leading platform for most, if not all of the world, there really haven't been any huge exploits or massive attacks similar to what we saw back in the heyday of Windows and any large outbreaks that have occurred seem mos
      • Until there's an actual wide-scale exploit that hits vulnerable users, the carriers aren't going to care. They'd rather sell you a new phone and contract than keep supporting old devices that are off contract. Even though there seem to be a fair amount of vulnerabilities and Android is the leading platform for most, if not all of the world, there really haven't been any huge exploits or massive attacks similar to what we saw back in the heyday of Windows and any large outbreaks that have occurred seem mostly limited to China.

        Pray tell, how can you KNOW that your personal data hasn't been siphoned off your Android (besides leaving it "off" in the drawer, or in "Airplane Mode")?

        Unlike in the 90s, pretty much ALL exploits want to do is suck down your personal data, not delete it. The former is fairly hard for the average person to discover, until it's far, far too late...

  • Is this the same patch Motorola release the other week for Moto X 2014 devices? It said it was a fix for some Stagefright vulnerabilities

    • by meadow ( 1495769 )
      In all the conversation so far no one bothered to post anything about how to actually verify if the vulnerability exists on a system or whether anyone is offering a vulnerability scanner for this.

      The best scanner I've seen so far for previous versions of Stagefright vulnerabilities is this one [google.com].
      • by meadow ( 1495769 )
        Wouldn't it be the case that, for people with rooted devices, patching the vulnerability would be as simple as copying a couple library files into /system/lib or somewhere?

        Or is it that no one wants to advertise this basic fact because they don't want people to root devices? Obviously if the fix is that simple and straightforward on rooted devices, it screams against the propaganda they want to force everyone to think.
        • Google could even provide the updates directly if they classified their libraries, programs, and apps into those that the carriers and vendors could play with and those that they can't.

          It should be perfectly possible to update an SSL library without interfering with any customisation. They could even allow veto of patches of carriers and vendors, if the patches really did break anything. Of course the carriers and vendors would have to be given a few days to test for breakage. But, even with such a veto,

        • Wouldn't it be the case that, for people with rooted devices, patching the vulnerability would be as simple as copying a couple library files into /system/lib or somewhere?

          So what about the other 99.999999999999999999999999999% of Android users that wouldn't know how to Root their phone, or even what that means, if their lives literally depended on it?

          • by meadow ( 1495769 )
            I wasn't trying to say that everyone should root their phone but just that rooting should be more accepted by vendors, governments, or others since there are really good reasons for it. Seems like were always under threat against some kind of draconian lockdown imposed by carriers/vendors/governments against having full control over the devices we own and operate. Just because we are purchasing wireless bandwidth doesn't give them the right to deprive us of our freedom.
  • Google programmers should read this book [amazon.com].
    They can do much better at avoiding bugs than they are now.
    • I was about to write a disparaging remark before reading the reviews. The author's page also has lots of relevant info.

    • by Dutch Gun ( 899105 ) on Monday November 02, 2015 @08:51PM (#50852125)

      I might have purchased a copy of that book if there was actually an e-book version of it.

      Anyhow, it's important to point out that security bugs aren't exactly like typical bugs. You can't test for security using unit tests... it's something that needs to happen in an audit. You need to be actively searching for ways to break code, and you need to know the techniques with which this is usually done. Most programmers are not trained how to do this. Do you think anyone actually tried to fuzz-test this library? I wonder.

      Allowing a multimedia library to play downloaded, untrusted content as elevated privileges is a pretty obvious problem in hindsight. We've seen flaws in many other internet-facing multimedia rendering or playback libraries before. libstagefright is now going to undergo some intense scrutiny by both hackers and security firms alike - I'd be surprised if this is the last we hear of this.

      • Anyhow, it's important to point out that security bugs aren't exactly like typical bugs. You can't test for security using unit tests

        Security in general is hard, but we're seeing a lot of basic errors that shouldn't be happening. In some cases, if Google had merely read the warning output from the compiler, they would have found bugs.

        Once people start even thinking about security, then we can move onto higher techniques, like proofs and contracts, to remove even more bugs.

        Do you think anyone actually tried to fuzz-test this library? I wonder.

        I seriously doubt it originally, but it looks like Google has some people trying that sort of thing now.

        • by GuB-42 ( 2483988 )

          Compiler warnings wouldn't have helped in the case of stagefright bugs (looking at a few patches). Even cppcheck was silent.

          As for fuzzing, Google made its own fuzzers: bunny-the-fuzzer followed by american-fuzzy-lop. The first one was started in 2007, at about the same time Android 1.0 came out. So Google was obviously no stranger to the concept of fuzz-testing.

          Why did the bugs slipped by? One can only guess. Maybe the stagefright team was a bit rushed and didn't do all formal testing required, maybe the b

          • Given that the (deliberately configured, 'as designed') behavior for stagefright was to silently restart every 5 seconds if it crashed, I can only assume that there was some internal pessimism about the robustness of the library.

            I don't doubt that dealing with all the various ghastly corner cases in codecs and container formats was deeply unpleasant; but it is worrisome that priority was apparently given to avoiding the appearance of failure, rather than really clamping down on what such a dangerously un
          • As for fuzzing, Google made its own fuzzers: bunny-the-fuzzer followed by american-fuzzy-lop. The first one was started in 2007, at about the same time Android 1.0 came out. So Google was obviously no stranger to the concept of fuzz-testing.

            I'm sure they know it exists lol.......the question is, why have they sucked it up so much? My theory is that security isn't something that can be 'added' or fixed in a later stage. It's something programmers need to be thinking about right from the beginning (and obviously they failed miserably in this case).

      • I might have purchased a copy of that book if there was actually an e-book version of it.

        Well, you see there's your first problem. Pages 7-14 describe the clear dangers of using ebooks, where hackers can make use of common buffer overflow exploits in PDF (and other e-reader formats) renderer implementations to take over your device and use it to inject vulnerabilities into your code.

        But wait, before you buy from Amazon, make sure you're aware of the advice in pages 111-191. Entering your credit card num

  • Here's another set [threatpost.com] of Android vulns that I believe were not mentioned here on Slashdot earlier.....
  • by mcrbids ( 148650 ) on Monday November 02, 2015 @06:50PM (#50851491) Journal

    I have a 2.5 year old phone that I otherwise love [engadget.com] and while it's EOL, I still use it extensively.

    The idea that a phone can be not even 3 years old and not have any hope of getting updates is something I balk STRONGLY at.

    • I'm not sure why so many Android users find this to be acceptable. Imagine requiring Dell's permission to install a new version of Windows. That's how Android works, BY DESIGN.

      • No, it's not how Android works, by design. Regular Nexus phones, that run the most Googly Androids, can be upgraded without problem. The only issue is that at some point Google itself stops producing the binaries for each model.

        • Yes, Google can approve their own updates, the rest of the manufacturers and carriers remain as bottlenecks.

          • I wasn't referring to Google approving their own updates. I was referring to the Nexus series allowing users to update their own phones. You don't need Google's permission to do so.

            In any case your comment was that Android was the bottleneck, that it was designed to prevent itself from being upgraded. That is what I was responding to. That's false. Android has nothing to do with it.

            Yes, manufacturers can block updates as they do with Windows phone and other mobile operating systems, but that isn't Andr

            • I wasn't referring to Google approving their own updates. I was referring to the Nexus series allowing users to update their own phones. You don't need Google's permission to do so.

              Nexus is Google's own phone. That's why you get those updates.

              • I wasn't referring to Google approving their own updates. I was referring to the Nexus series allowing users to update their own phones. You don't need Google's permission to do so.
                • Do you understand that Nexus is Google's own phone? You need to because that's the reason you can find only one exception.

                  • "Exception"? Do you even understand the words you're writing? You're arguing the Nexus series is an "Exception" to the concept that Android is "designed" to disallow upgrades?

                    Are you aware that the Nexus series are mobile phones? Not operating systems or distributions of Android?

                    Your claim is that Android, by design, prevents users from upgrading it. You're wrong. The fact Nexus users (and users of many other models of phone bundled with Android) can upgrade their phones without having to get permissio

                    • Heh. Ah, man. That's funny. Okay, here we go:

                      "Exception"? Do you even understand the words you're writing? You're arguing the Nexus series is an "Exception" to the concept that Android is "designed" to disallow upgrades?

                      Yes. That's exactly what I'm saying. The Nexus phones are not proof that Android isn't designed that way, they're proof that it is! Nexus phones are produced for Google. They are Google's phones. They are to Google what iPhone is to Apple. Android is to Google what iOS is to Apple. Google can update their own phones to the latest Android because the OS and the Nexus phones are theirs. They're not some random manufacturer producing their own phones

    • FedGov needs to take a different angle: if carriers refuse to issue critical security updates to phones less than five years old, they need to be levied a healthy fine based on the number they've sold that are -solely through their indifference - destined to generate tons of easily avoidable e-waste. That is a quantifiable, undeniable result of their inactions and they should be brutally punished to send a message.

      Or the FCC / FTC could actually do their fucking job to protect consumers from pricks that s
    • I have a 2.5 year old phone that I otherwise love [engadget.com] and while it's EOL, I still use it extensively.

      The idea that a phone can be not even 3 years old and not have any hope of getting updates is something I balk STRONGLY at.

      I have a solution for that [apple.com]...

  • So now I have to buy a new phone? Why don't they just make the damn things disintegrate (biodegradable) after two years? Bastards!

  • It doesn't work (Score:4, Insightful)

    by Ilgaz ( 86384 ) on Tuesday November 03, 2015 @02:36AM (#50853365) Homepage

    Google should admit there is a problem in Android's model of getting updates and do something about it.

    It is not just code.

    If they don't care because Android is doing well in terms of market share etc, they should read comments & stories about Nokia Symbian. Developers, users, authors were telling them everything which were wrong and they were laughing at them showing their massive marketshare. Now, their own Google Keyboard didn't autocomplete Symbian, it is that irrelevant.

    • And what makes you think they don't? And if they do admit it internally, what good will it do to announce it externally? You seem to equate silence to ignoring the issue.
  • by Anonymous Coward

    Nothing penetrates Linux android. I read this on /. all the time. Everyone knows java/dalvik is "the 'bestest' safest language" that makes bug free code too! Now, I am going to read the article - wtf? Oops. Guess all of /. is at fault for all your years of linux is secure no other OS is. I blame you fucking liars for feeding me that shit.

All syllogisms have three parts, therefore this is not a syllogism.

Working...