Zimperium, the security company that initially found the
vulnerabilities in Android's Stagefright media library, promised on August 5 that it would release an open source exploit for testing purposes. The company has now
released the exploit in the wild to get Android OEMs to hurry up and deliver the patches to their devices, but also to allow other security experts to test whether their devices are still vulnerable
.
Exploit in the wild The publicly released exploit is not a "generic exploit," the company said, because it has only tested it on an older Nexus running Android 4.0.4. The Stagefright vulnerability used for the exploit has been neutered by Android 5.0's use of the GCC 5.0 compiler, which comes with integer overflow mitigation.
Zimperium's release of the exploit doesn't necessarily make it that much easier for attackers to exploit Stagefright, as other exploits have already been created that can even bypass Android's address space layout randomization (ASLR) protection, and there are likely to be more out there that we don't know about.
Upgrades still in poor shape So far only Google (Nexus devices), Samsung, and LG have promised monthly
security updates after the Stagefright vulnerabilities were first made public. However, a few other companies such as Motorola, HTC, Sony and others also started sending Stagefright patches for some of their devices.
The main problem here is that none of these companies are going to patch most of the exploitable devices, which includes all Android 2.3 devices and beyond, covering over 900 million smartphones and tablets. At best, the majority of the OEMs will upgrade their most popular devices from the past two years, and that's about it.
Because Google is not responsible with the updates for the Android ecosystem, that pits Android OEMs in a price race to the bottom, where the costs of developing new updates for smartphones gets discounted as unimportant, compared to other priorities such as using a better camera, processor or screen, or simply having a lower price than the competition. This situation
may never be fixed by itself until Google takes the whole responsibility upon itself (and the OEMs allow it to do that).
Initial quick-fixes not enough The Stagefright vulnerabilities were indeed a wake-up call for Google as well as some manufacturers but were unlikely to be big enough to make them consider a significantly improved upgrade system. After all, only three companies promised monthly security updates, and even
they didn't say for how long that will be in place for certain devices, or whether all devices will be under the new update program.
Some apps such as Hangouts and Messenger have also been updated by Google to resist Stagefright exploits, considering the easiest way to attack a user is through an MMS or other video file sent to SMS or other messaging apps that have auto-retrieval of video files enabled.
However, this isn't the only way users can be attacked. They can also receive video files through the browser when visiting a website. Typically, the user would have to accept such a file, though, so the risk there is minimized.
Checking for Stagefright vulnerabilities To check whether you're still vulnerable, you can use Zimperium's
Detector app. The app now also checks against the bugs in the Stagefright library, which were unveiled shortly after the first Stagefright announcement was made by
Exodus Intelligence. Patches for these latest bugs haven't been distributed to many devices yet, though, as they are set to arrive in the next batch of official upgrades from Android OEMs (which could be a few weeks for Google, LG and Samsung, or a few months for others).
Zimperium has also collaborated with Google to include the Detector app's logic into the Android Compatibility Test Suite (CST) to ensure that all new smartphones will be protected against these vulnerabilities.
Bookmarks