Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Stagefright Poses Serious Risks 1 Year After It First Surfaced

    By
    SEAN MICHAEL KERNER
    -
    July 28, 2016
    Share
    Facebook
    Twitter
    Linkedin
      Stagefright Android flaw

      On July 27, 2015, news broke about Stagefright, a vulnerability in Android. A year later, it’s clear that Stagefright has had a major impact on the mobile security world—more so than other vulnerabilities in recent memory.

      The Stagefright flaw isn’t just a single issue even though a year ago it wasn’t entirely clear how much of an impact the vulnerability would have. Stagefright, a reference to the libstagefright media library in Android, was found by Joshua Drake, vice president of Platform Research and Exploitation at Zimperium, to be vulnerable to exploitation.

      When I first spoke to Drake a year ago, he explained to me that the Stagefright issues were in large part integer overflows that lead to potentially exploitable memory buffer overflow conditions. The danger was that hundreds of millions of Android users were at risk from the issue, and unfortunately, a year later, hundreds of millions of Android users remain at risk.

      The initial set of Stagefright vulnerabilities were publicly disclosed at Black Hat USA 2015 and led Google to rethink its process for Android security, ushering in a new monthly cycle for Android patch updates. As it turns out, the initial Stagefright issues Drake disclosed were not the last libstagefright flaws, and he wasn’t the only security researcher to find stagefright-related flaws.

      Drake told me that, over the course of the last year of Android updates, Google has issued patches for 115 media server-related CVE (Common Vulnerabilities and Exposures) flaws. Of those, 49 were found directly in libstagefright, with 35 in libmedia and 31 in libraries on which libstagefright depends. The number of Stagefright-related flaws in the past year came as a surprise to Drake.

      “I expected shoring up the larger problem to take an extended and large effort, but I didn’t expect it to be ongoing a year later,” Drake said. “I think Google has their Android Security Rewards program to thank for many of the discovered and fixed issues.”

      The Android Security Rewards program, a bug bounty program for Android, is really serving its purpose, Drake said. In June, Google disclosed that it had paid out $550,000 in bug bounties in the program’s first year. Google paid Drake approximately $50,000 for his Stagefright-related disclosures.

      While Google has been patching Stagefright and related media server flaws for a year now, not all Android users update their devices and not every Android device gets updated. That window of vulnerability doesn’t necessarily translate into widespread exploitation although that risk does exist.

      “We believe that Stagefright-type vulnerabilities have and likely are being used in targeted attacks,” Drake said. “However, the nature of a targeted attack makes detection difficult.”

      Drake’s employer Zimperium has detection logic for Stagefright in its product platform, and customer data does shows several detections of Stagefright-related anomalies.

      Zimperium has benefited from the Stagefright disclosure, which helped raise the company’s overall profile. In June, Zimperium announced a $25 million Series C round of funding, bringing total financing to date for the company up to $43.5 million.

      While Stagefright-related flaws remain an issue in the current generation of Android devices, Google has pledged to make significant improvements in the upcoming Android N release cycle. That said, Drake’s view is that Google is likely not going to back-port media server isolation improvements from Android N to earlier Android releases.

      “Google sort of abandons older versions of Android, and only provides security fixes for them,” Drake said. “This fact, combined with the practice of shipping security improvements in new major releases only, underscores the need for faster adoption of new major versions of Android.”

      While Drake’s discovery of the Stagefright flaw in 2015 has had an obvious impact on Android, Drake did not win and wasn’t nominated for a Pwnie award at Black Hat in 2015, due to timing issues. For 2016, that situation is very different. The Pwnie awards are a somewhat whimsical award, but they are still valued for notoriety.

      For 2016, Stagefright is nominated for multiple Pwnie Awards, including the Pwnie for best server-side bug, best client-side bug and most over-hyped bug. Drake tells me that he doesn’t currently have an acceptance speech prepared, but if he wins, he will say something on the spot.

      “It’s been such an eventful year industry-wide that there’s serious competition in every category,” Drake said. “I would not be surprised to leave Vegas without a golden pony at all.”

      While I have no insider insight into whether Drake will win a coveted Pwnie award, I do know that I’ll be in the room to cheer him on regardless—for his contribution to information security and discovering the bug that literally changed the mobile security landscape for a billion people.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×