Google flubs patch for Stagefright security bug in 950 million Androids

Update flawed, new one needed for countless gadgets


Google's security update to fix the Stagefright vulnerability in millions of Android smartphones is buggy – and a new patch is needed.

The Stagefright flaw is named after a component within the Android operating system that, among other things, processes incoming text messages that contain video clips. By sending a vulnerable Android device a specially crafted multimedia message, it is possible to inject and execute malicious code on that gadget. It affects Android 2.2 to 5.1, so about 950 million devices. Version 4.1 and later have defenses to limit some of the damage that can be done.

If you're a Nexus owner, the Stagefright security update should already be installed on your Android device. However, of the six patches in the bundle, one needs more work – meaning, patched devices are still potentially vulnerable to attack via Stagefright.

Researchers at Exodus Intelligence spotted a mistake in this particular source-code tweak, and crafted an MP4 video file to prove the patched Android library is still vulnerable. The Stagefright library crashes when trying to open that data in a multimedia message, and the team say the programming blunder is exploitable.

Exodus warned Google about it on August 7, and today published code showing how it's done because "Google is still distributing the faulty patch to Android devices via over-the-air updates." The vulnerability has been assigned CVE-2015-3864.

"There has been an inordinate amount of attention drawn to the bug – we believe we are likely not the only ones to have noticed it is flawed. Others may have malicious intentions," Exodus warned in a blog post.

"Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?"

Where it went wrong

The problem lies in this code in the Stagefright library:

uint64_t chunk_size = ntohl(hdr[0]); 
int32_t chunk_type = ntohl(hdr[1]); 
off64_t data_offset = *offset + 8; 
if (chunk_size == 1) { 
   if (mDataSource->readAt(*offset + 8, &chunk_size, 8) < 8) {
      return ERROR_IO;
   }
   chunk_size = ntoh64(chunk_size);

The variable chunk_size is read from the video file's data, and if is equal to 1, its value is replaced by a 64-bit value again loaded from the video data. Later on, we reach this code. SIZE_MAX is a 32-bit value, 0xFFFFFFFF.

if (SIZE_MAX - chunk_size <= size) {
   return ERROR_MALFORMED;
}

If chunk_size, a 64-bit unsigned integer, is greater than SIZE_MAX, the check is bypassed. The value is then added to a size variable, truncated to a 32-bit integer, and used to read too much data into another buffer, triggering a fault and a crash.

Even if this can only be exploited as a denial-of-service attack on someone, Exodus wanted to make the point that Google should have spotted this basic integer overflow bug before releasing the patch.

Google engineers have worked out a fix for the borked patch and are busy pushing it out to Nexus devices. It has also been posted on the Android Open Source Project, and other handset vendors will bundle it in with their next security update.

"Currently over 90 per cent of Android devices have a technology called ASLR enabled, which protects users from this issue," a Google spokesperson told The Register, seemingly oblivious to the fact that ASLR can be bypassed by exploiting other bugs in the operating system.

"We've already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update," the spokesgoogler added.

It's now up to other handset vendors to cover their users' asses, but so far there have been a lot of words and very little action. Motorola users here in Vulture West are still waiting for their original patch, and anecdotal evidence suggests other vendors are being just as tardy.

The monthly software updates for Android arranged by Google in light of the Stagefright bug release were lauded by many as a sensible idea. But whether handset vendors will live up to their promises remains to be seen. ®

Similar topics


Other stories you might like

  • Google shows off immersive maps, AR-flavored search, Pixel 7, and more
    Your essential de-hyped guide to what the Chocolate Factory teased at developer shindig

    Google IO Google I/O, the ad biz's annual developer conference, returned to the Shoreline Amphitheater in California's Mountain View on Wednesday, for the first time in three years. The gathering remained largely a remote event due to the persistence of COVID-19 though there were enough Googlers, partners, and assorted software developers in attendance to fill venue seats and punctuate important points with applause.

    Sundar Pichai, CEO of Google parent Alphabet, opened the keynote by sounding familiar themes. He leaned into the implied sentiment, "We're here to help," an increasingly iffy proposition in light of the many controversies facing the company.

    He said he wanted to explain how Google is advancing its mission in two ways, "by deepening our understanding of information so that we can turn it into knowledge and advancing the state of computing so that knowledge is easier to access no matter who or where you are."

    Continue reading
  • iOS, Android stores host more than 1.5 million 'abandoned' apps
    That's more than the total that are actively maintained, study claims

    A study has found more outdated apps in Apple's App Store and Google Play than actively updated ones. 

    Analytics biz Pixalate – the outfit behind the study, titled The Abandoned Mobile Apps Report – told The Register its figures appear "to support Apple's apparent desire to 'clean up' abandoned apps," despite the unpopularity of the announcement with developers. The iGiant last month threatened to wipe away software from its store that hasn't been updated for a significant period of time.

    The report consists of data from crawls of the Android and iOS app stores to look for what Pixalate classified as abandoned apps – those that have gone two or more years without an update. Between the two stores in the first quarter of 2022, Pixalate said it found more than 1.5 million abandoned apps, amounting to 33 percent of the more than five million apps it told The Register it examined. 

    Continue reading
  • Microsoft closes Windows LSA hole under active attack
    Plus many more flaws. And Adobe, Android, SAP join the bug-squashing frenzy

    Microsoft patched 74 security flaws in its May Patch Tuesday batch of updates. That's seven critical bugs, 66 deemed important, and one ranked low severity.

    At least one of the vulnerabilities disclosed is under active attack with public exploit code, according to Redmond, while two others are listed as having public exploit code.

    After April's astonishing 100-plus vulnerabilities, May's patching event seems tame by comparison. However, "this month makes up for it in severity and infrastructure headaches," Chris Hass, director of security at Automox, told The Register. "The big news is the critical vulnerabilities that need to be highlighted for immediate action."

    Continue reading
  • Engineer gets Windows 11 working on a Surface Duo
    So those hardware requirements for Microsoft's OS really are arbitrary

    Arch tinkerer Gustave Monce has demonstrated Windows 11 running on a first-generation Surface Duo.

    The Duo is famously an Android device but, fresh from showing that Windows 11 could be coaxed into running on a Lumia Windows Phone, Monce has worked his magic on Redmond's first effort at a foldable handset.

    While Monce's work on the Lumia 950XL was more of an intellectual exercise, getting both screens working on the Duo is undeniably impressive. His adventures have been well documented on Twitter, with the engineer observing: "I think there might be a performance ~~gap~~ ocean between this and the Lumia 950 XL. Crazy what 4 years did in terms of SoC performance. Oh and thermals are very good."

    Continue reading

Biting the hand that feeds IT © 1998–2022