Categories: MobilitySecurity

Google Fixes Broken Stagefright Patch

Google has acknowledged that its patch for a bug affecting nearly one billion Android devices was itself flawed, and has released a fix.

The patch is for the Stagefright flaw, discovered in April by security firm Zimperium, which it said could allow an attacker to take control of a device by sending a maliciously crafted video message.

Stagefright flaws

Zimperium discovered a number of bugs in Android’s Stagefright library and submitted patches for them to Google. The company disclosed the issues in July and Google said it had added the patches into the latest version of Android.

However, another security firm, Exodus Intelligence, said it easily bypassed one of the patches, meaning devices with the fix are still vulnerable.

The company said it notified Google of the issue on 7 August but didn’t receive a response until it published a blog post on the issue last week.

Exodus said its researcher Jordan Gruskovnjak had bypassed the patch in testing it on a Nexus 5 device using a specially crafted MP4 file. The firm said Gruskovnjak’s attack was not included in Zimperium’s Stagefright vulnerability detector, meaning that users running the flawed patch were given the all-clear, providing them with a “false sense of security”.

Following the blog post, Google assigned the new issue CVE identifier CVE-2015-3864 and said it has added a fix for it into Android. Google said it plans to deliver the fix to Nexus devices via its monthly update for September and has distributed it to other vendors, who will make it available via their own update programmes.

Erratic updates

The company also said the issue is mitigated for most Android users by a security feature called address space layout randomisation (ASLR), currently enabled on 90 percent of devices, which makes attacks difficult to plan. Google has pointed out that so far there is no evidence of any attacks having exploited the flaw.

Google said at the Black Hat security conference earlier this month that it would begin issuing monthly security updates for Android after the stir created by Stagefright. Samsung and LG have also said they will work with carriers on delivering monthly updates.

However, most Android handsets do not receive Google’s monthly updates, relying instead on updates from third-party handset providers, which may be erratic or nonexistent.

Exodus said the security implications of the flawed patch were worrying.

“Given all the exposure this vulnerability received combined with essentially infinite resources on the vendor side, effective security mitigations were still not deployed,” the company wrote. “If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?”

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago