topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday December 12, 2024, 6:46 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Security: Stagefright Vulnerability (Android)  (Read 13160 times)

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Security: Stagefright Vulnerability (Android)
« on: July 27, 2015, 08:40 PM »
Six critical vulnerabilities have left 95 per cent of Google Android phones open to an attack delivered by a simple multimedia text, a mobile security expert warned today. In some cases, where phones parse the attack code prior to the message being opened, the exploits are silent and the user would have little chance of defending their data.

via: http://www.forbes.co...ndroid-text-attacks/

Still trying to process what one can easily do about this (apart from disabling network access and turning off one's affected Android devices -- may be it's important to be careful about what one does after turning it back on too...).

Some related info:

  http://www.theregist...oid_phone_text_flaw/
  https://threatpost.c...vices-at-risk/113960
  http://it.slashdot.o...oid-with-just-a-text
« Last Edit: July 27, 2015, 08:47 PM by ewemoa »

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,914
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #1 on: July 28, 2015, 01:27 PM »
Yikes, that's crazy.

Jibz

  • Developer
  • Joined in 2005
  • ***
  • Posts: 1,187
    • View Profile
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #2 on: July 28, 2015, 04:21 PM »
I've seen some people suggest disabling automatic download of mms messages (an option in Hangouts and other sms apps). The idea is that if no mms is downloaded, the decoder will not run.

The worst part about these kind of errors in the underlying system, is that with the way each manufacturer is running his own version of android, it will take a while for fixes to roll out even though Google fixes it. Some older phones will probably never get an update. Glad I have a Nexus :Thmbsup:.

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #3 on: July 28, 2015, 06:14 PM »
The disabling instructions I've encountered include:

1. In messaging apps, disable automatic downloading of mms messages (like what Jibz said)
2. In APN settings, disable some appropriate mms-related settings (didn't manage to become clear enough on exactly what though)
3. For rooted phones, put media.stagefright.enable-player=false in /system/build.prop (likely have to do something like: 'mount -o remount,rw /system' as root first)

The first two suggestions might help to mitigate the issue, but there may be other ways for the code in question in stagefright to get executed, IIUC.

My current understanding is that on some phones the code in question can get executed with system level privileges (e.g. Galaxy S4), but not necessarily on all phones.  So I guess depending on one's phone, how nasty this is may be quite different.



Regarding updates, IIUC, the Cyanogemod 12.x (nightly) series has been patched:

  https://plus.google....od/posts/7iuX21Tz7n8

Personally I'm waiting for:
CM11 will see these updates hit as part of out of band fixes this weekend (these releases occur weekly).
« Last Edit: July 29, 2015, 12:33 AM by ewemoa »

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #4 on: July 28, 2015, 10:21 PM »

"....multimedia text..."

There was some different iPhone attack by text (that I have to invoke Fermat and say I don't recall what or why), whose solution was some setting where it doesn't parse the text message "live" but just says you have a text, and then you have to enter the full text reading mode to read it. So I did that setting, (not recalling now where it was), but I wonder if anything like that matters here - sparked by the similarity of "....(attack) text message..."

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,508
    • View Profile
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #5 on: July 30, 2015, 04:13 AM »
People still use MMS?
Why?

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,777
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #6 on: July 30, 2015, 06:19 PM »
People still use MMS?
Why?

Because some people can't tell the difference between IM and texting in apps that handle both.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #7 on: July 31, 2015, 06:21 AM »
People still use MMS?
Why?
Because it's a way to send/receive pictures for people who aren't on social media sites and don't use instant-messaging platforms?

Also, remember that just turning off MMS isn't enough to protect you from this exploit, it can be triggered in-browser as well. One of the worst exploits in a while...
- carpe noctem

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #8 on: July 31, 2015, 02:20 PM »
People still use MMS?
Why?

I'll admit that I have no idea.  I just press a icon when I want to send someone a message, type a few words in and press send.

I have no idea what technology might be used behind the scenes, and I don't really care to know. All I care about is that the message I send arrives on the phone of the user I sent it to.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,777
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #9 on: August 14, 2015, 01:39 AM »
Stagefright is still a problem.

Stagefright was supposedly fixed, and even an app that detects whether or not your device is vulnerable will say you are not vulnerable, even if you are!

Emphasis added:

We notified Google of the issue on August 7th but have not had a reply to our query regarding their release of an updated fix. Due to this, as well as the following facts, we have decided to notify the public of our findings here on the Exodus Intelligence blog.

  • The flaw was initially reported over 120 days ago to Google, which exceeds even their own 90-day disclosure deadline.
  • The patch is 4 lines of code and was (presumably) reviewed by Google engineers prior to shipping. The public at large believes the current patch protects them when it in fact does not.
  • The flaw affects an estimated 950 million Google customers.
  • Despite our notification (and their confirmation), Google is still currently distributing the faulty patch to Android devices via OTA updates.
  • There has been an inordinate amount of attention drawn to the bug–we believe we are likely not the only ones to have noticed it is flawed. Others may have malicious intentions.
  • Google has not given us any indication of a timeline for correcting the faulty patch, despite our queries.
  • The Stagefright Detector application released by Zimperium (the company behind the initial discovery) reports “Congratulations! Your device is not affected by vulnerabilities in Stagefright!” when in fact it is, leading to a false sense of security among users.

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #10 on: August 14, 2015, 06:50 AM »
Thanks for sharing.

Came across this:

Google today released to open source a new patch for the infamous Stagefright vulnerability found in 950 million Android devices after researchers at Exodus Intelligence discovered the original patch was incomplete and Android devices remain exposed to attack.

“We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update,” a Google spokesperson told Threatpost. Last week at Black Hat, Google announced that it would begin monthly OTA security updates for Nexus, and that Samsung and LG also committed to providing carriers with regular updates.

via https://threatpost.c...still-exposed/114267

xtabber

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 618
    • View Profile
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #11 on: August 14, 2015, 02:39 PM »
OTA's to fix the vulnerability have already gone out - got them yesterday on both Nexus 7 (2013) and Nexus 10.  The original Nexus 7 (2012) and older Nexus devices are no longer on the Android update schedule and will not be getting patches from Google.

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #12 on: August 18, 2015, 10:18 PM »
AT&T pushed out an OTA for the Samsung Galaxy S5 a week or two ago that patches the vulnerability as well.

However, I haven't heard anything about any pending fixes to Certifi-Gate, though. :(

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #13 on: September 02, 2015, 07:52 PM »
Personally I'm waiting for:
CM11 will see these updates hit as part of out of band fixes this weekend (these releases occur weekly).

Finally got this within the last few days.

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Security: Stagefright Vulnerability (Android)
« Reply #14 on: October 07, 2015, 01:33 AM »
Further Stagefright-related patches (plus others) included in recent update:

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.

via https://groups.googl...-updates/_Rm-lKnS2M8

IIUC, these are related, but not the same as originally reported.