Researchers discover flaws in half cooked Stagefright patch issued by Google for Android smartphones and tablets
It seems the Android’s Stagefright bug is becoming a real pain in the neck to Google. Fixing ‘Stagefright bug’ on Android devices is taking a longer time than what Google might have hoped for!
Towards the end of last month when security researcher, Joshua Drake, had exposed the details of the Stagefright vulnerability, Google was quick enough to provide the required patches. Various other Android manufacturers and carriers too joined hands to fix the issue on most of the Android devices. Some of them also announced to roll out monthly patches which actually was established as a consequence of the Stagefright bug.
However, it seems that patches released by Google were half cooked and fixed in haste. The researchers at Exodus Intelligence have discovered some flaw with one of the patches that was issued by Google and they say that under appropriate conditions the Android device is still vulnerable to the Stagefright attack.
Its just been around eight days that Google, Android manufacturers and carriers issued appropriate patches to their respective devices. After the deployment of the patch, Exodus Intelligence researchers were able to successfully trigger a system crash in an Android device. It seems the research team used an appropriately encoded mp4 file over MMS to attack the phone.
Researchers sent a statement via email stating : “The summary is that the Stagefright vulnerability is still exploitable and the 4-line patch that was implemented is faulty. We have been able to trigger the fault that still affects over 950 million Android devices.”
Right now it is not clear if the bug can be exploited only for code execution or can it be used for system shutdown as well.
On the other hand as soon as Exodus reported the issue along with the patch to Google, it immediately open sourced the patch for the flaw.
Google has confirmed that it has already sent out a second patch for the issue.
In a statement Google said: “We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update.”
Presently, it is not confirmed if non-Nexus phones will also receive the second patch; however it seems the devices will be provided with this new patch packed in the monthly patch system which would be rolled out soon as already confirmed earlier by Google, Android manufacturers and some carriers.
Usually, whenever a bug or vulnerability is discovered, there has to be a standard 30 day notice period, which would give ample time to the company to understand the flaw and provide some proper patch to mitigate the issue. However, Exodus Intelligence researchers disclosed the bug pretty soon and Google has had less than a week’s time to design and deploy the patch for the highlighted flaw.
Exodus, however feels that the flaw was a part of the Stagefright vulnerability disclosure which was already reported to Google some four months back and surprisingly Google was still using a faulty patch. Hence under the current scenario when there is an intense public awareness for the Stagefright attack Exodus could not keep the bug in secret.
“There has been an inordinate amount of attention drawn to the bug. We believe we are likely not the only ones to have noticed it is flawed. Others may have malicious intentions.”
However, Google has stressed the importance of mitigation systems like Address Space Layout Randomization (ASLR) which is present in the Android devices. It has made a statement which states “currently over 90% of Android devices have a technology called ASLR enabled, which protects users from this issue.”
Well, for now, Android users need to be careful and alert whenever they are opening messages received from unknown sources. Do refer to the detailed analysis of Stagefright and how one can one stop the Stagefright attack mentioned in our earlier article.