Google has another try at patching Stagefright flaw

Google has sent the patch to its partners and will fix its Nexus line of devices

Google has released another patch for the Stagefright vulnerability after a security firm said the first one didn't fix it.

Hundreds of millions of Android devices are vulnerable to Stagefright. A device can be compromised merely through the receipt of a specially crafted multimedia message (MMS), so an attacker needs only the victim's phone number.

The flaw was found by Joshua Drake at mobile security firm Zimperium, which submitted a set of patches along with its big report. Google released its first patch for Stagefright last week.

But a researcher with another security firm, Exodus Intelligence, discovered a flaw in the patch intended to fix Stagefright. He crafted a malicious MP4 file that could bypass the fix. Exodus notified Google on Aug. 7 but didn't get a response and decided to make the information public, Aaron Portnoy, an Exodus vice president, said in a blog post. Google has since acknowledged Exodus's report and assigned it as CVE-2015-3864.

Portnoy wrote that he was surprised such a major vulnerability didn't get an effective patch the first time around.

"Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor's software and hold them accountable to provide a code fix within a deadline period," he wrote. "If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?"

In a statement Thursday, Google said it had sent its latest fix to its partners. Devices in its Nexus line, including the Nexus 4, 5, 6, 7, 9, 10 and the Nexus Player, will receive an over-the-air update as part of the company's monthly patch update for September.

Google said at the Black Hat security conference earlier this month it would issue monthly security patches for Android devices after Stagefright exposed millions of devices to attack. Major vendors such as Microsoft, Adobe Systems and Oracle have for years released security fixes on a regular schedule.

But the problem with mobile devices is that operators play a key role in distributing patches. While for the last three years Google has sent patches to mobile operators, it was up to those companies to send the patches to users. That process happened slowly if at all.

Major Android manufacturers including Samsung and LG have also committed to working with carrier partners to distribute monthly patches.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecuritymobile securityExploits / vulnerabilities

More about Adobe SystemsDrakeExodusGoogleLGMicrosoftOracleSamsungTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place