Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Android Stagefright Vulnerability Not Patched Properly by Google

A patch released by Google for one of the recently disclosed Stagefright vulnerabilities affecting the Android mobile operating system is flawed, researchers have warned.

A patch released by Google for one of the recently disclosed Stagefright vulnerabilities affecting the Android mobile operating system is flawed, researchers have warned.

Earlier this year, researchers at mobile security firm Zimperium identified several vulnerabilities in the Stagefright library used in Android (libstagefright) and other software such as Mozilla Firefox. The security holes affect all Android versions since 2.2, but releases prior to 4.1 Jelly Bean are the most exposed because Address Space Layout Randomization (ASLR) mitigations are not properly implemented.

When the issues were disclosed in late July, experts estimated that roughly 950 million Android devices were affected by remote code execution flaws, some of which could be exploited simply by sending an MMS message to the targeted device.

The Stagefright vulnerabilities have been assigned the following CVE identifiers: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829.

On August 5, Google started releasing over-the-air (OTA) security updates for Nexus 4,5,6,7,9,10 and Nexus Player devices to address most of these flaws. However, shortly after the search giant started distributing the patches, researchers at Exodus Intel confirmed their suspicion that the fix for an integer overflow triggered in libstagefright during MPEG4 tx3g data processing (CVE-2015-3824) was flawed.

The patch for this potential remote code execution vulnerability, consisting of only four changed lines of code, was provided to Google by Joshua Drake, the Zimperium researcher who uncovered the Stagefright flaws. Drake said the search giant accepted his patches within 48 hours after being submitted.

Advertisement. Scroll to continue reading.

Google has confirmed that the fix for the integer overflow vulnerability does not work as intended and assigned the CVE-2015-3864 identifier to the new issue. However, as of August 13, the company was still pushing out the updates containing the buggy patch.

The search giant says it has already provided a fix to its partners. The company intends to send out the new patch to Nexus 4,5,6,7,9,10 and Nexus Player devices with the September OTA updates.

“Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?” Exodus Intel wrote in a blog post.

Several serious flaws have been found in Android over the past weeks. Earlier this month, researchers at IBM disclosed several serialization vulnerabilities that can be exploited by malicious apps to escalate privileges, allowing attackers to take control of devices.

The large number of vulnerabilities and the fact that it takes a lot of time for patches to reach devices due to the fragmentation of the ecosystem have made Android a tempting target for cybercriminals. Device manufacturers have started to acknowledging the importance of time sensitivity when it comes to addressing critical vulnerabilities, which is why Google, Samsung and other companies recently promised to provide regular security updates.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.