Botched Google Stagefright fix won't be resolved until September

Researchers tell Chocolate Factory to get its gingerbread house in order

31 Reg comments Got Tips?

According to security company Rapid7, Google needs to rethink how it patches Android in the wake of initial botched attempts to resolve the Stagefright vulnerability.

The criticism comes as Google itself confirmed users of its Nexus devices – who are the first to get security fixes – won't be fully protected until September.

The Stagefright vulnerability for Android phones creates a means to infect devices simply by sending a booby-trapped MMS message. An estimated 950 million devices that run Android versions 2.2 through 5.1 are at risk. Version 4.1 and later have defences that mitigate, without eliminating, the possibility of a successful attack.

The Stagefright vuln, discovered by Zimperium, ultimately stems from flaws in code handling multimedia files.

Google released a six-pack update to resolve the Stagefright vulnerability last week, but it quickly emerged that one of the components was incomplete, so that even patched devices were still at risk.

These shortcomings have put back the whole security remediation process by weeks.

Tod Beardsley, security engineering manager at Rapid7 – the firm behind the Metasploit pen-testing tool – commented: "The problem Google is facing is not so much shipping security vulnerabilities in popular software products: everyone ships bugs, it happens. The real problem we're seeing today is a breakdown in the Android patch pipeline."

"In this case, two critical components of Google's vulnerability handling process are failing. First, it is extremely difficult for Google, or anyone else, to get updated software into the hands of users," Beardsley said.

"Even Nexus devices, which Google has the most direct control over, will have to wait until a September release for an update to the insufficient Stagefright patch. This lag time between having a fix in hand and distributing it to the user base is simply too slow to be reasonably safe," he added.

"If malicious actors choose to exploit this set of vulnerabilities in the meantime, there seems to be nothing everyday users can do to defend themselves," Beardsley warned.

Google's security researchers in its Project Zero team regularly turn up flaws in the codebase of other vendors before pushing them to develop a timely fix. Now that the boot is on the other foot, Google is failing to respond to resolve flaws in a key aspect of its technology in a timely manner, according to Beardsley.

"The other breakdown in the Stagefright feedback process was Google's handling of Exodus's alert about the flawed patch, by not responding in a timely way," Beardsley said. "Many companies struggle with first contact with researchers reporting vulnerabilities, but this is not Google’s first rodeo."

"After all, Google's Project Zero reports vulnerabilities to other major vendors routinely with certain expectations on communication. It needs to be able to practise what it preaches a little better in this area if Android users are to be confident in Google's stewardship of the codebase," he concluded.

Google declined to comment on Rapid7's criticism, but did provide an update on progress towards resolving the Stagefright security vulnerability, together with risk mitigation advice.

Currently, over 90 per cent of Android devices have a technology called ASLR* enabled, which protects users from this issue. We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update.

A blog post by Google explaining how it planned to go about resolving Stagefright can be found here. ®

Bootnote

* ASLR stands for Address Space Layout Randomisation, a secure coding technique that makes it harder to develop successful exploits based on a vulnerability.

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

New Google rules mandate Android 'Poundland' Edition, Go, for sub-2GB RAM phones once Android 11 is out

Chocolate Factory actively pushing lightweight OS on less powerful devices

Android 11 will let users stop device-makers from killing background apps, says Google

Users will be able to 'override ... restrictions' on phones and other kit, says engineering team

Google promises another low-end Android effort as it buys into Indian mega-carrier Jio Platforms

$4.5bn splash turns out to be first installment in $10bn ‘Digitisation fund’ and development template for new products

Android user chucks potential $10bn+ sueball at Google over 'spying', 'harvesting data'... this time to build supposed rival to TikTok called 'Shorts'

These are the class-action-suit-joining 'droids lawyers are looking for. (We'll get our coats)

Commit to Android codebase suggests Google may strong-arm phone makers into using 'seamless' partitioned updates

Such a move could standardise deployment of new versions, rather than it being at the whim of OEMs

As the world descends into madness, it's good to see some things never change: Monthly Android patches

Qualcomm bugs among the worst – including a critical hole in wireless networking

Metasploit for drones? Best of luck with that, muses veteran tinkerer

Black Hat Europe Been down this path and it ain't that easy, says man who knows

My eyes thank you, Google: Android to get dark mode scheduling in future update

The feature was originally ditched over quality control issues

Biting the hand that feeds IT © 1998–2020