Google’s Android Stagefright patch is flawed

The security update released by Google last week does not provide a complete defense against attackers taking advantage of the recently unearthed Stagefright Android vulnerability, Exodus Intelligence researchers have found.

The hole was discovered by Zimperium researchers, who notified Google and submitted a set of patches for the batch of flaws that allow Stagefright-type attacks.

“One of these patches, addressing CVE-2015-3824 (aka Google Stagefright ‘tx3g’ MP4 Atom Integer Overflow) was quite simple, consisting of merely 4 lines of changed code,” Jordan Gruskovnjak and Aaron Portnoy explained in a blog post.

Unfortunately, the patch also fails to do its job, as Gruskovnjak proved by crafting an MP4 file that bypassed the patch and crashed the patched test Nexus 5 device.

He alerted Google of the problem a week ago, but the originally published fix is yet to be updated, and is still being pushed out to users and OEMs.

“There has been an inordinate amount of attention drawn to the bug – we believe we are likely not the only ones to have noticed it is flawed. Others may have malicious intentions,” the two researchers noted. “The public at large believes the current patch protects them when it in fact does not.”

They also alerted Zimperium about the faulty patch, and the two companies are working on providing coverage for detection of this flaw through Zimperium’s Stagefright Detector app.

“The Stagefright disclosure process was an interesting one to observe. The (un)surprising outcome being that given all the exposure this vulnerability received combined with essentially infinite resources on the vendor side, effective security mitigations were still not deployed,” they pointed out.

“Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?”

Google has announced last week that they will start pushing out regular OTA security updates for their Nexus devices each month.




Share this