Google Patches Stagefright 2 Android Vulnerability

Google isn’t wasting any time patching newly announced vulnerabilities in its Android mobile operating system.

On Oct. 5, Google released its monthly Nexus update, providing a patch for the Stagefright 2.0 issues that Zimperium zLabs Vice President of Platform Research and Exploitation Joshua Drake first announced on Oct. 1.

Drake disclosed two issues, CVE-2015-3876 and CVE-2015-6602, which Google has patched. In total, the Google Android October update patches 19 different vulnerabilities. Drake told eWEEK that he reported 10 different issues to Google on Aug. 15.

In addition to the  CVE-2015-3876 and CVE-2015-6602 vulnerabilities, Google also is patching a third issue that Drake reported; the vulnerability, known as CVE-2015-3875, was also reported to Google by Daniel Micay, a security researcher at Copperhead Security.

Android Stagefright

“Daniel [Micay] reported it back while everyone was in Vegas; I reported it 10 days later, was told it was duplicate and commended Daniel on his work,” Drake said.

The other seven issues that Drake has reported to Google on Android remain unpatched, although the risk is not quite the same.

“The other issues require more research to determine if they are reachable through any local or remote attack vector,” Drake said. “That is, neither Google nor I have confirmed there’s anything exploitable there—[which is] much different from the CVE-2015-3876 and CVE-2015-6602 cases.”

The patches are now present in the Android Open Source Project (AOSP), and Google Nexus devices are starting to receive updates.

“We hope that other vendors will release Stagefright 2.0 updates soon,” Drake said.

Google’s move to a monthly update cycle for Android patches is partly a reaction to Drake’s original Stagefright research first disclosed in July. Google’s Android Security Chief Adrian Ludwig has pledged to accelerate the pace of security updates to help keep users safe.

It’s a pledge that Drake and Zimperium intend to help validate. “We plan to analyze the speed of updates as a longer-term project and will release the findings to the public when they are ready,” Drake said. “So far, our gut feeling is that OEMs are trying to get updates out faster but have significantly more overhead to deal with than Google/Nexus.”

Originally published on eWeek

What do you know about Internet security? Find out with our quiz!