Google Fixes Broken Stagefright Patch

Google has acknowledged that its patch for a bug affecting nearly one billion Android devices was itself flawed, and has released a fix.

The patch is for the Stagefright flaw, discovered in April by security firm Zimperium, which it said could allow an attacker to take control of a device by sending a maliciously crafted video message.

Stagefright flaws

Zimperium discovered a number of bugs in Android’s Stagefright library and submitted patches for them to Google. The company disclosed the issues in July and Google said it had added the patches into the latest version of Android.

However, another security firm, Exodus Intelligence, said it easily bypassed one of the patches, meaning devices with the fix are still vulnerable.

The company said it notified Google of the issue on 7 August but didn’t receive a response until it published a blog post on the issue last week.

Exodus said its researcher Jordan Gruskovnjak had bypassed the patch in testing it on a Nexus 5 device using a specially crafted MP4 file. The firm said Gruskovnjak’s attack was not included in Zimperium’s Stagefright vulnerability detector, meaning that users running the flawed patch were given the all-clear, providing them with a “false sense of security”.

Following the blog post, Google assigned the new issue CVE identifier CVE-2015-3864 and said it has added a fix for it into Android. Google said it plans to deliver the fix to Nexus devices via its monthly update for September and has distributed it to other vendors, who will make it available via their own update programmes.

Erratic updates

The company also said the issue is mitigated for most Android users by a security feature called address space layout randomisation (ASLR), currently enabled on 90 percent of devices, which makes attacks difficult to plan. Google has pointed out that so far there is no evidence of any attacks having exploited the flaw.

Google said at the Black Hat security conference earlier this month that it would begin issuing monthly security updates for Android after the stir created by Stagefright. Samsung and LG have also said they will work with carriers on delivering monthly updates.

However, most Android handsets do not receive Google’s monthly updates, relying instead on updates from third-party handset providers, which may be erratic or nonexistent.

Exodus said the security implications of the flawed patch were worrying.

“Given all the exposure this vulnerability received combined with essentially infinite resources on the vendor side, effective security mitigations were still not deployed,” the company wrote. “If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?”

Are you a security pro? Try our quiz!