stagefright
Latest
Android's April security update tackles another Stagefright flaw
Google's monthly Android security updates are nothing new, but its latest release may be particularly important. The new April update tackles eight critical vulnerabilites that include one in the libstagefright library -- you know, the same media framework that recently faced a rash of real and potential exploits. It also patches a nasty kernel flaw that would give attackers full control over your device. You'll get first crack at the fixes if you either have a Nexus device or can install an Android Open Source Project build, but other vendors that offer Google's monthly updates will likely follow suit before long.
Stagefright exploit reliably attacks Android phones (updated)
You may know that the Stagefright security flaw is theoretically dangerous, but it hasn't been that risky in practice -- it's just too difficult to implement on an Android device in a reliable way. Or rather, it was. Security researchers at NorthBit have developed a proof-of-concept Stagefright exploit, Metaphor, that reliably compromises Android phones. The key is a back-and-forth procedure that gauges a device's defenses before diving in. Visit a website with a maliciously-designed MPEG-4 video and the attack will crash Android's media server, send hardware data back to the attacker, send another video file, collect additional security data and deliver one last video file that actually infects the device.
The problem with 'pumpkin spice' security bugs
Bad Password is a hacking and security column by Violet Blue. Every week she'll be exploring the trendy new cyberhysteria, the state of the infosec community and the ever-eroding thing that used to be called "privacy." Bad Password cuts through the greed, fear mongering and jargon with expertise, a friendly voice and a little levelheaded perspective. When asked, "Why give a vulnerability a website, logo and brand image?" many infosec professionals will confidently answer that flamboyant bugs raise awareness toward fixes. Fixing and patching, we're led to believe, is almost as fun as a trip to the dentist. Which is true. Heartbleed, Shellshock, Stagefright, Sandworm, Rootpipe, Winshock and the truly terror-inducing nom-de-sploit POODLE are not, in fact, a list of situational phobias. These were named with intent to become PR markers -- although looking at the way some of these vulns (vulnerabilities) got their names and brands, it seems like the focus was more on the credit for naming them, rather than the actual usefulness of trying to "pumpkin spice" a bug.
Stagefright bug now spreads through malicious audio files
Cripes, how many times is Google going to have to patch before the Stagefright exploit bug stays fixed? The company has already patched its code three times but on Thursday, security research firm Ziperium (the guys that initially discovered the flaw) announced that it had discovered yet another way hackers could bypass an Android handset's security. This time, the malicious code can be delivered by an audio message. Hackers can encode a piece of malware into an MP3 or Mp4 file and then disseminate it (worryingly, this sort of digital delivery vehicle works really well over public Wi-Fi connections). Any Android user who clicks on the downloaded file will prompt the OS to automatically preview the song, infecting the device. And since virtually every build of Android OS currently available shares this same auto-preview feature, the exploit works nearly universally. Google is reportedly already working to patch the vulnerability in Android's core code, which should be ready by the October Monthly Security Update on the 5th.
'Stagefright' vulnerability files released to the wild
On the heels of its Stagefright detection app, Zimperium (the outfit that discovered the Android security flaw) has released its exploit to the public. But before you get your hands dirty tinkering with it to find a fix there are a few things you need to consider. Zimperium says that it was tested on a Nexus device that was running Ice Cream Sandwich 4.0.4 and that "due to variances in heap layout" this exploit isn't entirely reliable. The Python script does work to take advantage of "one of the most critical" vulnerabilities the outfit discovered in the security flaw's library, however. Perhaps the biggest caveat, though, is that since the file was tested with Ice Cream Sandwich, Zimperium says that elements of Android 5.0 Lollipop, the fast-growing OS of choice for Android users, basically nullify its attempts to address the problem.
CyanogenMod gets Android 5.1 and Stagefright security fixes
If you've been sitting on pins and needles waiting for the community-focused CyanogenMod firmware to both make the leap to Android 5.1 and fix that nasty Stagefright MMS exploit, you can relax. Hot on the heels of Cyanogen OS 12.1 (for devices like the OnePlus One), CyanogenMod 12.1 is arriving with both the perks from Android 5.1.1 as well as a Stagefright patch that theoretically keeps you safe. There are also Stagefright fixes for CyanogenMod 11 and 12.0, in case you can't run the new operating system right away. There are a lot of devices to cover with this rollout, so don't be alarmed if you don't see a download right away -- if your phone or tablet is already running CyanogenMod's decidedly non-standard code, there's probably an update waiting in the wings.
OnePlus 2 update brings Stagefright patch, battery improvements
We knew an over-the-air update was coming to the OnePlus 2, but now it's here. Today, OnePlus released the first software revision for its new flagship smartphone, bringing with it a few major changes to OxygenOS. The most important one, perhaps, is an added patch for Stagefright, the security vulnerability that's affecting more than 950 million Android devices. There are also improvements to the handset's battery performance and the user interface, as well as other under-the-hood enhancements that should make the OnePlus 2 more stable overall. Our own Senior Mobile Editor, Chris Velazco, noticed some software bugs in his review unit, so here's to hoping this version of OxygenOS (2.0.1) fixes these issues.
Fixing 'Stagefright' flaw on Android is harder than we thought
The Stagefright vulnerability for Android won't seem to want to go away. According to Exodus Intelligence researchers one of the patched issued by Google could still allow access to Android devices. The researchers told Engadget via email, "the summary is that the Stagefright vulnerability is still exploitable and the 4-line patch that was implemented is faulty. We have been able to trigger the fault that still affects over 950 million Android devices." The issue with the patch was reported to Google which open sourced the patch for the patch this morning.
Motorola is the next to patch Android's big video security flaw
Chalk up one more big Android phone maker racing to patch its devices against that nasty Stagefright video security flaw. Motorola has explained that it will not only fix the vulnerability in phones from 2013 onward (such as the original Moto X and the Droid line), but make sure that its latest hardware is secure almost from the word go. Both the Moto X Style and Moto X Play will be secure on launch, while the recently-shipped third-generation Moto G is getting its update "soon."
LG commits to monthly Android security updates
In the wake of the Stagefright bug, LG has reportedly committed to posting monthly security updates to protect its Android smartphones. It's the third company in two days to pledge to ensure that its devices aren't left wide open for hackers, since Google and Samsung both said the same yesterday. The announcement was reported by Wired, who quotes an unnamed LG source as saying that it'll provide the updates on a monthly basis. Unfortunately, these updates will still have to be passed fit for purpose by the carriers, who frequently drag their feet when it comes to getting them out to consumers.
Android app tells you if you have 'Stagefright' vulnerability
Got Stagefright? Not the fear of an audience, but an Android vulnerability that could hijack your smartphone via a garden-variety MMS. The company that discovered the flaw, Zimperium, has now released a tool, the Stagefright Detector App, to at least let you know if you're patched against it. Google issued a fix a while ago, and you're protected if you have a Nexus device. But if you own nearly any other smartphone -- even a brand new one like Samsung's Galaxy S6 -- you're probably still at risk.
Google's Nexus devices are getting monthly security updates
Samsung isn't the only Android device maker promising monthly security updates in light of huge exploits like the Stagefright flaw. Google itself is vowing that Nexus devices will get monthly over-the-air patches, starting with software arriving today. If you own a Nexus 4 or any newer model, you won't have to wait ages for these fixes to come as part of a point release. The duration of update coverage remains the same. You'll get major OS updates for at least 2 years, and security fixes for either 3 years after launch or 18 months after your device leaves the Google Store.
Android flaw lets attackers into your phone through MMS videos
If you're an Android user, you'd better hope that a stranger doesn't send you a video message in the near future -- it might compromise your phone. Security researchers at Zimperium have discovered an exploit that lets attackers take control if they send a malware-laden MMS video. The kicker is that you may not even need to do anything to trigger the payload, depending on your text messaging app of choice. While the stock Messenger app won't do anything until you see the message, Hangouts' pre-processing for media attachments could put you at risk before you're even aware that there's a message waiting.
