Biggest security update in history coming up: Google patches Android hijack bug Stagefright

Ad giant, Samsung, LG commit to monthly fixes


Black Hat 2015 For those of you worried about the Stagefright flaw in Android, be reassured, a patch will be coming down the line in the next few days.

"My guess is that this is the single largest software update the world has ever seen," said Adrian Ludwig, lead engineer for Android security at Google. "Hundreds of millions of devices are going to be updated in the next few days. It's incredible."

All Nexus devices are going to be patched, and Samsung, Motorola, HTC, LG, Sony, Android One, and hundreds of other manufacturers are going to push out the patches too, he said. Some handset vendors, like Silent Circle, have already patched their operating systems.

"With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner," said Dong Jin Koh, EVP of Samsung Electronics, Mobile R&D Office.

"Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected. We believe that this new process will vastly improve the security of our devices and will aim to provide the best mobile experience possible for our users."

In addition, Google, Samsung, and LG have made a commitment to send out monthly security patches to users that will fix any upcoming issues in the operating system. These updates have been sent out to manufacturers for years, but now end users will get them too, and they will continue for at least three years after the launch of any new handset.

"We've looked at the events of the last few weeks and realized we need to move faster, and that we need to tell people what we are doing," Ludwig said.

The Stagefright flaw was a serious issue, with 95 per cent of devices potentially vulnerable, he said, but there were mitigating factors. Android Jellybean 4.1 or later devices had address space layout randomization (ASLR) to block memory exploits, he said, and this bought enough time to sort out the issue.

As for the other Android bug from last week – Trend Micro's discovery of an integer overflow bug in Android's media server service – that too will be fixed by the end of the week. The flaw allowed phones to be crashed and silenced due to errors in video handling, and a fix is in place despite Google initially dismissing the issue as low priority.

"Google's messenger app gets updated by end of week so it won't build dynamic media thumbnails," Ludwig promised. "Sorry, but thumbnails are going to be very boring for the next week."

It's not just about the updates: Google is investing considerably in hardening up the Android ecosystem and blocking applications that could be considered malware, Ludwig promised.

In June, Google announced Security Rewards for Android, a bug bounty scheme specifically for the mobile operating system. The rewards include smaller payouts for simple bug finding, similar to the bounty system for Chrome, but for full exploit chains showing a bug, exploitable proof of concept, and resulting in gaining access to the TrustZone in Android, the payout could net up to $38,000 for researchers.

Developers are also going to be getting warnings if their code is found to break the rules, either inadvertently or by design. So far Google has warned developers about more than 60,000 applications, but Ludwig said he wanted that cut to zero in the long run. ®

Similar topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022