Stagefright Android exploit exposes the problem with patching


The Stagefright Android exploit, MMS message vulnerability, reported to Google back in April, and made public in July, is still not fixed even if you have already patched it.

The Stagefright vulnerability was big news back in July, and for very good reason: around a billion Android devices were at risk of enabling attackers to steal data just by sending remotely executed code via a malicious MMS message that the recipient didn’t even have to open.

According to the Zimperium zLabs researcher, Joshua Drake, who discovered the vulnerability and responsibly disclosed it to Google well ahead of going public, said that this was a vulnerability that could impact “95 per cent of Android devices.”

The official disclosure stated that “Attackers can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited.”

Extremely dangerous indeed, and so serious did Google take it that patches to internal code branches of Android were applied within 48 hours of the company being informed. Applying code patches internally, when it comes to the widely dispersed Android code, is not the same thing as devices being safe though. As anyone who has ever waited for an Android update for their device to arrive, deployment can be a very long and drawn out process indeed.

In the rush to fix the problem it now appears that Google didn’t fix the problem

That said, Google did move relatively quickly and patches have been rolling out. What’s more, Google and Samsung have both announced that they will adopt over the air security updates on a monthly basis in future. This is a good thing, almost goes without saying.

Unfortunately, not such a good thing is the fact that in the rush to fix the problem it now appears that Google didn’t fix the problem. Erm, yep, that’s right; apparently the initial Android patch didn’t actually fix the Stagefright vulnerability at all. Now given that all versions of Android from Froyo (2.2) onwards are vulnerable, although those prior to Jelly Bean are apparently most at risk given a lack of incorporated mitigations, Google then released another patch.

Who is getting these patches and when, and who will get the new monthly patches and when, is the big question. There are so many vendors and so many devices, running so many versions of Android, that the whole security patching landscape is one big mess to be honest.

The main problem now is knowing if your device is still vulnerable to Stagefright or not, and the simplest way is to assume it is, frankly speaking. I have already recommended to all and sundry I know to deactivate the ‘auto retrieve’ settings for the messenger applications in use on their devices and would suggest you do the same.

Even Nexus devices, which Google has the most direct control over, will have to wait until a September release for an update

There are also a multitude of Stagefright detector apps now available in the Play Store, and I’m waiting to hear of one that has a malicious payload as it seems an obvious opportunity for the bad guys. That said, those from established security vendors such as the ESET Stagefright Detector App are safe enough, and will check to see if you are still vulnerable after whatever patching has been applied.

Tod Beardsley, security engineering manager at Rapid7, says: “The problem Google is facing is not so much shipping security vulnerabilities in popular software products, everyone ships bugs, it happens. The real problem we’re seeing today is a break down in the Android patch pipeline. In this case, two critical components of Google’s vulnerability handling process are failing. First, it is extremely difficult for Google, or anyone else, to get updated software into the hands of users. Even Nexus devices, which Google has the most direct control over, will have to wait until a September release for an update to the insufficient Stagefright patch.

“This lag time between having a fix in hand and distributing it to the user base is simply too slow to be reasonably safe. If malicious actors choose to exploit this set of vulnerabilities in the meantime, there seems to be nothing everyday users can do to defend themselves.

“The other break down in the Stagefright feedback process was Google’s handling of Exodus’s alert about the flawed patch, by not responding in a timely way. Many companies struggle with first contact with researchers reporting vulnerabilities, but this is not Google’s first rodeo. After all, Google’s Project Zero reports out vulnerabilities to other major vendors routinely with certain expectations on communication. They need to be able to practice what they preach a little better in this area if Android users are to be confident in Google’s stewardship of the code base.”

Tom Lysemose Hansen, founder and CTO of Promon, adds: “In almost all cases, vulnerabilities are developed to differ from their predecessor, so any attempt to patch them will be a reaction, rather than a proactive step to protect the device.

“While the patches may secure Android devices from Stagefright, future threats remain unaccounted for. Dealing with these threats in real time is all too often the crux of maintaining adequate security for your mobile device. App security should be perennial.

“Only when manufacturers and software developers acknowledge it is not possible for the mobile device to provide a complete environment secured against unknown future vulnerabilities, will they employ more effective approaches for the assessment and mitigation of risk. The onus should instead be placed on developers to adequately defend their individual applications against the many more strains of malicious software expected in the wake of these most recent examples. Adequate protection is only offered when these threats are dealt with as and when they appear, at the application level.”