Incomplete ‘Stagefright’ Security Patch Leaves Android Vulnerable to Text Hack

Last week, Google released an official patch for the vulnerability Stagefright that affects 95 percent of Android devices running version 2.2 to version 5.1 of the operating system, it is estimated that 950 million Android devices in use worldwide .

But, the patch is so flawed that hackers can still exploit the Stagefright vulnerability (CVE-2015-3824) anyways.

 

“The [original] patch is four lines of code and was (presumably) reviewed by Google engineers prior to shipping,” researchers at Exodus Intelligence wrote in a blog post published Thursday.“The public at large believes the current patch protects them when it, in fact, does not.”

Buggy Patch Issued by Google

The patch addresses the vulnerability by allowing booby trapped MP4 videos, which provide variable lengths of 64 bits to overflow the buffer and block the smartphone when trying to open the multimedia message.
The company notified Google of the issue, on August 7, two days after his presentation Stage Fright in the Black Hat conference, but received no response from the company regarding the release of an updated solution.
Therefore, the firm launched code that shows how the smartphone is locked Stagefright exploiting the vulnerability because the search giant is being “defective patch distributing Android devices via over-the-air updates.”
The defective patch has been assigned the vulnerability identifier of CVE-2015-3864, according to researchers at the Exodus, but at the moment it is difficult to say when a suitable solution to the legal vacuum available.

“Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software,” but if it can’t “demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?,” the Exodus researchers wrote.

 

When contacted for comment, a Google spokesman confirmed the findings and said the company had distributed the second patch to its OEM partners, however, its own Nexus and Nexus 4/5/6/7/9/10 player will receive the patch as part of its September update patch.
So, in order to get rid of this problem, it is necessary to keep an eye on this new patch to fix the old faulty patch.

 

Incomplete ‘Stagefright’ Security Patch Leaves Android Vulnerable to Text Hack

Back to top button
Close