Android's Stagefright Flaw Returns, Google Issues Patch
Google last week claimed it had fixed the Stagefright flaw, but it is back. Or did it ever actually really get fixed in the first place?Among the big stories to break at the Black Hat USA conference this year was the Android security vulnerabilities in the libstagefright media framework, impacting 950 million users. Google claimed last week that it had fixed the Stagefright flaws, but new research from security firm Exodus Intelligence now alleges otherwise. "The issue is still exploitable, despite the patches currently being shipped to Android devices," Exodus Intelligence wrote in a blog post on Aug. 13. "As of this morning, Google has notified us they have allocated the CVE [Common Vulnerabilities and Exposures] identifier CVE-2015-3864 to our report." As of Aug. 14, Google has actually made an open-source patch available for the CVE-2015-3864 issue. Although Google does not debate the fact that the issue exists, the company claims that the risk to users is not all that large. "Currently over 90 percent of Android devices have a technology called ASLR (Address Space Layout Randomization) enabled, which protects users from this issue," Google wrote in a statement to eWEEK. "We've already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA (Over the Air) update in the September monthly security update."
During the Black Hat event, Google's Android chief Adrian Ludwig announced a more aggressive, regular update schedule for Android devices. Ludwig also explained in great detail during his session the multiple layers of security in the Android ecosystem that prevent the exploitation of Stagefright-type flaws. Those layers include the Google Play app store itself, which scans apps for malicious code.