Report: Stagefright patch doesn’t fix 950 million vulnerable devices

The patch for Android's Stagefright vulnerability won't actually protect your phone, some security researchers say. According to Jordan Gruskovnjak and Aaron Portnoy of Exodus Intelligence, a malformed MP4 file can still create a buffer overflow, a vulnerability that could then be used to compromise 950 million Android phones.

The Exodus blog post walks through the vulnerability. A function in libStagefright reads two values from an MP4 file's header, chunk_size and chunk_type, as 32-bit integers. If the header returns a value of 0x01 for chunk_size, then a 64-bit value is read from the MP4 instead. According to the researchers, if an MP4 is crafted with a chunk size of 0x1fffffff (or any other value outside the bounds of a 32-bit integer), a flaw in the Stagefright patch's boundary-checking code means it's still possible to cause a buffer overflow.

Exodus says it notified Google of its findings on August 7. The company asked Google for a timeframe for another fix, but has not received a response. Since the Stagefright vulnerabilities were originally reported to Google in April, and it's been more than 90 days since that original disclosure, Exodus has decided to make the results of its research public. For now, even patched Android devices appear to remain vulnerable to the bug.

Ben Funk

Sega nerd and guitar lover

Comments closed
    • ronch
    • 4 years ago

    Oh jeez. Computers have all sorts of tricky vulnerabilities! Let’s all just ditch them and go fly kites outdoors!

    • Chrispy_
    • 4 years ago

    I love Stagefright.

    It’s the issue that’s made people realise that their carriers are the problem. Regardless of whether the patch fixes it or not, most people can’t GET any patches, because their carrier hasn’t bothered rolling any updates out for as long as NEVER.

    Seriously, It’s like getting your Windows updates from your cable TV provider, except they’re not just windows updates, they’re 90% cable TV adverts and bloatware that does things only of benefit to the provider, and the update is useless because it was superseded three months ago and this patch was rolled out by Microsoft 18 months ago.

    • UnfriendlyFire
    • 4 years ago

    OEM manufacturers:

    “Why should we support our ‘obsolete’ (aka +2 years old) products? Everyone should be on those two year contracts anyways!”

    If Microsoft did the same:

    “We’re dropping security support for Vista and 7 after Windows 8.1 launches. It’s your fault for not upgrading.”

    *And everything proceeds to go to hell for Microsoft, businesses that haven’t even gotten off of XP yet, and everyone in general (bot-nets with dozens of millions of zombie computers = not fun).

      • Spotpuff
      • 4 years ago

      I’ve said it before and I’ll say it again: no one gives MS enough credit for the fact that you can often just install their OS on whatever hardware and it will run.

      Google can’t even keep its own nexus line up to date with software when the hardware is 2 years old.

        • Platedslicer
        • 4 years ago

        The Android OEMs’ marketing departments probably make up a sizable chunk of the problem through their desire to reinforce differentiation and planned obsolescence. I’d wager that if Google made an earnest push towards uniformity and a flexible driver model, a lot of their manufacturing partners would throw fits.

        Microsoft was more fortunate. When DOS and Windows were steadily taking over the world, the IBM-PC market was composed of many companies that were more interested in getting their products to market than in walling off their turf.

        I think the writing is on the wall for the big Android OEMs though, with Samsung being the most prominent. Their shoddy update practices and crappy reskins/bloatware are getting on a lot of people’s nerves, and low-cost Chinese competitors are putting the squeeze on them. Eventually Google may have enough leverage to fix the mess.

          • Platedslicer
          • 4 years ago

          Uh… downvoters care to elaborate?

        • UnfriendlyFire
        • 4 years ago

        “no one gives MS enough credit for the fact that you can often just install their OS on whatever hardware and it will run.”

        I know a specific laptop model (released after Windows 8.1 launched) that is incompatible with Windows 8, 8.1, and 10 due to an unfixed BIOS or firmware bug. The bug causes the laptop to crash if it goes into sleep or hibernate mode.

        • spugm1r3
        • 4 years ago

        The main difference is, Google is not an OS provider, where MS is. Given the amount of money and effort Google (Alphabet, or whatever) and it’s various holdings expend on pushing out the latest and greatest, they appear to have no interest in legacy support. Support that could, arguably, hinder the development of the latest and greatest.

        That said, I’ll agree with your assessment of MS. It is a relatively short list of systems that can’t run the vast majority of MS’s offerings from the last ten 10 years.

          • Deanjo
          • 4 years ago

          Ummm what? They are the gatekeepers of Android, they also offer ChromeOS.

          MS is also not only OS provider, like Google, in fact they offer pretty much the same services as Google.

          Hotmail / Gmail
          Bing Maps / Google Maps
          Office 365 / Google Docs
          Skype / Google Talk
          Bing / Google search
          Etc, etc, etc……

      • BobbinThreadbare
      • 4 years ago

      Microsoft didn’t drop any support for Windows 7. SP1 is supported for several more years.

    • ikjadoon
    • 4 years ago

    Out of curiosity, why hasn’t some hacking group already jumped on this? 950 million users mobile users is nothing to scoff at.

    …[i<]dons tinfoil hat[/i<] or have they already and we just don't know about it? The perfect crime!

      • Deanjo
      • 4 years ago

      What makes you think they haven’t?

        • windwalker
        • 4 years ago

        Antivirus vendors are probably monitoring this and waiting for the opportunity to promote and sell.

          • dmjifn
          • 4 years ago

          Actually, the very free version of Avast! mobile already identifies this as a critical issue and instructs you how to turn off background retrieval of MMS attachments. Again, for free.

            • windwalker
            • 4 years ago

            That’s very nice but the vulnerability is in media playback, not MMS.
            MMS is just a channel that would allow a piece of malware to be delivered without user participation.

      • BobbinThreadbare
      • 4 years ago

      950 million devices is probably not 950 million users.

        • UnfriendlyFire
        • 4 years ago

        950 million vulnerable devices make nice candidates for very large bot-nets.

    • tanker27
    • 4 years ago

    I can’t help but to point out that this is where Android fails hard, fragmentation. Even Android themselves keep up a fragmentation dashboard: [url<]https://developer.android.com/about/dashboards/index.html[/url<]

      • sweatshopking
      • 4 years ago

      and literally none of them remotely secure!

      • ikjadoon
      • 4 years ago

      This goes all the way back to Froyo, which is essentially 100% of all Android devices.

      Either Stagefright was way overblown in its potential as a real-world exploit or in the coming weeks, we should hear about massive, worldwide breaches.

      Right?

      • morphine
      • 4 years ago

      Well, the actual fragmentation comes with the OEMs + carriers. If it was as simple as providing security fixes for the affected Android versions, Google would have done that easily, as they do with their Nexus devices.

        • Deanjo
        • 4 years ago

        That still falls back onto Google’s plate. The biggest mistake Google made was allowing Google-approved, licenced manufacturers to carry out their own updates.

          • morphine
          • 4 years ago

          Well, hindsight is always 20/20.

          And it amuses me the number of people that said that Microsoft-provided mandatory WinPhone updates are a bad thing.

            • Deanjo
            • 4 years ago

            I can’t imagine anyone sane and with a wee bit of tech knowledge didn’t see this coming a mile away when they announced the initial Android release plans.

            It doesn’t take a rocket scientist to figure out that the more entities that you rely on, the more point of failures will exist.

            Can you imagine if MS said “All your Windows updates would be from your computer OEM.”?

        • MadManOriginal
        • 4 years ago

        That’s a big part of the reason I will only buy Nexus devices. Still rocking a 4 for my phone, and a Nexus 7.

        • rxc6
        • 4 years ago

        Not quite true. Remember the Galaxy Nexus? Support was dropped after 18 months (not even two years!). Thankfully they have done a better job lately, but not even Google could support that hardware configuration for long.

          • morphine
          • 4 years ago

          Nobody’s perfect 🙂

          But yeah, that happened.

      • Platedslicer
      • 4 years ago

      It’s because of sh*t like this that I’m almost positive I’ll be moving to Windows Phone when they refresh the lineup later this year (hopefully).

        • albundy
        • 4 years ago

        i use grooveip a lot, which is only for ios and android. too bad WP doesnt have an app like it since nokia phones are cheap as sh*t now.

Pin It on Pinterest

Share This