• Your favorite








    , and
  • Google to Issue a Second Fix as its Initial Patch for the Stagefright Exploit Failed

    A security researcher recently discovered that the first software patch designed to mitigate the high-profile Stagefright vulnerability in Googleís Android mobile operating system failed to do so. This has led to the issuance of yet another update.

    The issue was discovered by security expert, Jordan Gruskoviak, who found that one version of the Stagefright patch, which allows an insecure MP4 file to cause an integer overflow, didnít fully address the problem. He was able to bypass the fix with a new proof of concept. Google was notified and has reportedly been working on another update. A Google spokesperson told Threatpost, the following regarding the matter:

    We've already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update.
    Wireless carriers in the US have also contributed, working to block transmission of MMS messages that contain exploitable payloads.

    For those of you who didnít know, the Stagefright exploit was revealed previously in July, relying on a bug in Androidís media handling library. It allows attackers to craft a malicious MMS message that would be able to execute code whenever received by or opened on an Android device. According to the person who discovered the flaw:

    Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification.
    Last week, Google ended up announcing plans to begin issuing regularly monthly security updates for Nexus users. LG and Samsung both ended up signing on to distribute these patches to their devices as well. We'll have to see how Google ends up tackling the issue and when it finally gets resolved.

    Source: Exodus Intelligence (blog), ThreatPost via AppleInsider
    This article was originally published in forum thread: Google to Issue a Second Fix as its Initial Patch for the Stagefright Exploit Failed started by Akshay Masand View original post