Google's initial Android Stagefright patch inadequate, forced to issue second fix
The first software patch designed to mitigate the high-profile Stagefright vulnerability in Google's Android mobile operating system was insufficient, one security researcher discovered, leading to the issuance of yet another update.
Last week, security expert Jordan Gruskovnjak found that one version of the Stagefright patch --?which allows a malformed MP4 file to cause an integer overflow --?did not fully address the problem, and was able to bypass the fix with a new proof of concept. Google was notified on August 7, and has already begun distributing another update.
"We've already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update," a Google spokesperson told Threatpost.
Wireless carriers in the U.S. have also chipped in, working to block transmission of MMS messages that contain exploitable payloads.
First revealed publicly in late July, the Stagefright exploit relies on a bug in Android's media handling library. It allows attackers to craft a malicious MMS message that would execute arbitrary code whenever received by or opened on an Android device.
"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS," the flaw's discoverers explained at the time. "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification."
Last week, Google announced plans to begin issuing regular monthly security updates for Nexus users. LG and Samsung have signed on to distribute those patches to their devices as well.
Last week, security expert Jordan Gruskovnjak found that one version of the Stagefright patch --?which allows a malformed MP4 file to cause an integer overflow --?did not fully address the problem, and was able to bypass the fix with a new proof of concept. Google was notified on August 7, and has already begun distributing another update.
"We've already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update," a Google spokesperson told Threatpost.
Wireless carriers in the U.S. have also chipped in, working to block transmission of MMS messages that contain exploitable payloads.
First revealed publicly in late July, the Stagefright exploit relies on a bug in Android's media handling library. It allows attackers to craft a malicious MMS message that would execute arbitrary code whenever received by or opened on an Android device.
"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS," the flaw's discoverers explained at the time. "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification."
Last week, Google announced plans to begin issuing regular monthly security updates for Nexus users. LG and Samsung have signed on to distribute those patches to their devices as well.
Comments
Or maybe not. I know Samsung loves my friends who buy a new Android phone every year or so, to escape the problems of the previous one and get the latest Android features they love to brag about (despite never actually getting on their current phone). Android hardware tends to be abandoned by the manufacturer before it's even paid off.
But they do.
Patches? We don't need no stinking patches.
The irony here is, if Giggle wouldn't have betrayed Apple they would have been making a ton more money with no work.
I hope Apple cuts iOS revenue stream for them soon.
Let the spinning begin!!
Apple began their own map plans long ago, buying Placebase way back in July 2009, while Apple was still using Mr Schmidts services on their Board of Directors. It was even before Google enabled multitouch in Android, leading to Mr Jobs infamous thermonuclear threat. Prior to that they had kept it disabled at Mr. Jobs request, which still didn't keep Apple from moving ahead with their secret Google Maps replacement.
So IMHO Google was on the way out anyway as soon as Apple was able to put their own services in place whether they were "Apple's friend" or not. That's what Apple does when it sees an opportunity to add value to their ecosystem, and kudos to them for good business practices.
There aren't "Apple partners" per-se IMO. There's Apple contractors and suppliers, which change whenever it's to Apple's advantage to do so just as would be expected.
No spin here bro. I'm all Apple, from the iPhone 3G to the AppleWatch.
There's a 1001 one things to flame android on, but is a proof of concept vulnerability one of them?
It's about a business model that isn't designed to prevent a potential vulnerability from spreading rapidly into the Android user community and wreaking havoc. The fact that Google, et al, are having to make PR statements on how they are going to deal with it is a symptom of that problem.
Ok. Look at it this way. Is TouchID fixed from having someone make a high resolution copy of your fingerprint and accessing your phone? Nope! Why? Because that kind of break in is HIGHLY unlikely. Now how likely is this Google flaw?
So, this is the security that users want to depend on? Don't worry about it, what could possibly happen?
Apple was "betting the house" on the iPhone and smartly covering all the bases they could, influencing where they could influence to give the iPhone every chance they could to succeed.
Google was involved with developing Android as a mobile OS for smartphones well before Apple ever began the iPhone project.
Complete and utter bullshit. Google acquired Android in August 2005. Apple already had basic prototypes of the iPhone in 2005, which means they would have had to been working on it for some time already.
...what are you more concerned with. Catching the flu or Ebola? Proof of concept is a non real-world theory. Keep in mind I'm not defending android but like Apple Touch ID issue, this borders fearmongering
I'd be more concerned that the near profitless business model fails when a vulnerability does move into the Android user population. But even now, I suspect that some buyers are going, "why take a chance" and switching to iOS.
I should push that meme no less than fandroids push "walled garden".
Google invested in Android back in 2004. purchasing it outright sometime early in 2005. The first mention in the press didn't hit until Aug/05. It's like the Placebase purchase that Apple kept hidden from the press until October/09 even tho it took place months earlier in July if not before. You remember this don't you?
http://www.phonearena.com/news/Did-you-know-Samsung-could-buy-Android-first-but-laughed-it-out-of-
You might also read up on your iPhone history too. Project engineers weren't even hired until late in 2005, and prototypes didn't appear until 2006 according to evidence they submitted in the Samsung trial. You probably got confused with the Purple Project that was intended to result in the iPad. Yes that did start earlier.
Proof of concept? So how likely is this exploit bound to make it into the wild. Apple has had proof of concept security holes(fake a finger print to bypass touchid) but that didn't garner this much news.
If it's a real issue then flame android, BUT, if it's a extremely unlikely to happen condition, then let them fix it and move along
This exploit is bound to make it into the wild if it isn't already done:
1. this exploit requires NO user intervention
2. all it requires is to send the user an MMS message
3. the MMS message can self-destruct so the user won't even see it.
You bet your pants it is likely to be exploited. After all, Chinese Hackers have spent a lot of energy gathering ID information for millions of US Government workers by hacking into US computers. And they should look at this Android hack has a FREE GIFT from Santa Claus.
They have the opportunity to steal identifying information from nearly 1 BILLION Android Users. They would be rich from selling this information in the black market. You bet it will be exploited.
Maps is minor.
Google is about search.
But isn't Google Maps just a different UI for search (geographically)?
When I open Google Map on iPhone and enter "Panera Bread", it shows me four nearby locations. Does Google get paid by Panera bread for showing their stores in response to a Map query? If so, then Apple Maps is eating into that search-by-map revenue stream.
but what you're comparing is similar to a person forging a key that needs to be stolen from someone to a person who has the keys to everyones home.....and this person is omnipresent and invisible.
No need to wonder why this is being covered. This is a GIGANTIC concern. Had this been an iPhone problem it would have been front page news on every newstand and top news in every news outlet.
Not the same with sony. sony pulled a scumbag sammy move and copied everything Nintendo engineered. playstation is like android heck, even the name was a Nintendo idea. Difference is Nintendo sucks at marketing and sony is deceiving as f***. Last I checked Wii was the fastest selling console and highest profiting console in history and that was last gen.
So why didn't Apple do anything about the fake fingerprint 'hack'?
1. How do you know that Apple didn't do anything? Apple doesn't have to publish improvements to its fingerprint firmware. After all, this firmware is inaccessible to anyone but Apple. So Apple wouldn't want to publicize a way to modify it.
2. Exactly how many people are actually doing this hack? If it was so easy to do, there should be more people publicizing about it on YouTube. But there aren't. This is because it is impossible to do.
But isn't Google Maps just a different UI for search (geographically)?
When I open Google Map on iPhone and enter "Panera Bread", it shows me four nearby locations. Does Google get paid by Panera bread for showing their stores in response to a Map query? If so, then Apple Maps is eating into that search-by-map revenue stream.
Apple has been reducing user's need for Google's services on its devices. For example, when doing search using Siri, you are using Bing search, not Google. Apple Maps has also replaced Google Maps.
So yes, Apple has significantly reduced Google's revenue from iOS devices.
And now, Apple has added the ability to AD-BLOCK on Safari in iOS. This means iOS users will have the opportunity to block ads from Google.
You bet users will use Ad Blockers on iOS. After all, ads use up your Data Allocation. You are paying for ads simply by viewing them on your iPhone or iPad. Ads also slow down web pages. So yes, users will use Ad Blockers. This will destroy whatever is left of Google's Revenue from iOS devices - which is most of their mobile revenue.
Ok. Look at it this way. Is TouchID fixed from having someone make a high resolution copy of your fingerprint and accessing your phone? Nope! Why? Because that kind of break in is HIGHLY unlikely. Now how likely is this Google flaw?
Let's compare the two. Exploiting TouchID requires:
1) Having physical access to someone's phone/tablet
2) Having a very high quality copy of that person's fingerprint
3) Having the technical skill to scan and enhance that fingerprint and reprint it at very high quality
4) The person having not realized their phone/tablet is missing during this process and remotely disabled it
Exploiting Stagefright requires:
1) Creating a special video file (I'm sure there are already tools out there for this)
2) Having someone's phone number
I'll leave it to you to figure out which one is more likely to be exploited.
And you know this as an absolute truth?
Google only asks for 18 months of support. That's not a mandate and that's only a year and a half. So if you're under a 2 year contract and buy in day on, you still lose what support you may have for 6 months minimum. If you don't buy that Android phone until 6 months later, well you hire only have support for 1 year. Our you buy a nexus and limit yourself to Only a couple phones. These goes all that so called choice!!!
Apple on the other hand generally fired at least 4 years. So even if you don't buy that iPhone until 2 years later, you're still getting support for another 2 years. Android didn't have to be this way, but Google really doesn't care. All they care about is getting their OS out into the market to get ad's to people and spy on everything they do.