Google has another try at patching Stagefright flaw

Google has sent the patch to its partners and will fix its Nexus line of devices

Google has released another patch for the Stagefright vulnerability after a security firm said the first one didn't fix it.

Hundreds of millions of Android devices are vulnerable to Stagefright. A device can be compromised merely through the receipt of a specially crafted multimedia message (MMS), so an attacker needs only the victim's phone number.

The flaw was found by Joshua Drake at mobile security firm Zimperium, which submitted a set of patches along with its big report. Google released its first patch for Stagefright last week.

But a researcher with another security firm, Exodus Intelligence, discovered a flaw in the patch intended to fix Stagefright. He crafted a malicious MP4 file that could bypass the fix. Exodus notified Google on Aug. 7 but didn't get a response and decided to make the information public, Aaron Portnoy, an Exodus vice president, said in a blog post. Google has since acknowledged Exodus's report and assigned it as CVE-2015-3864.

Portnoy wrote that he was surprised such a major vulnerability didn't get an effective patch the first time around.

"Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor's software and hold them accountable to provide a code fix within a deadline period," he wrote. "If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?"

In a statement Thursday, Google said it had sent its latest fix to its partners. Devices in its Nexus line, including the Nexus 4, 5, 6, 7, 9, 10 and the Nexus Player, will receive an over-the-air update as part of the company's monthly patch update for September.

Google said at the Black Hat security conference earlier this month it would issue monthly security patches for Android devices after Stagefright exposed millions of devices to attack. Major vendors such as Microsoft, Adobe Systems and Oracle have for years released security fixes on a regular schedule.

But the problem with mobile devices is that operators play a key role in distributing patches. While for the last three years Google has sent patches to mobile operators, it was up to those companies to send the patches to users. That process happened slowly if at all.

Major Android manufacturers including Samsung and LG have also committed to working with carrier partners to distribute monthly patches.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Googlesecuritymobile securityExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?