NULL Stagefright Bug Fix has Flaws, New Android Security Updates Needed

Stagefright Bug Fix has Flaws, New Android Security Updates Needed

Aug 24, 2015 05:48 PM EDT

Android security updates for the Stagefright Bug have not completely addressed vulnerabilities, according to recent reports by industry experts. This development comes just as Android users are starting to receive the six-part security patch that was rolled out by Google earlier this month.

Even so, researchers at Exodus Intelligence found security issues that remain even with the new fix. Their report revealed a serious flaw in four lines of code. Hence, users may have been lured into a false sense of security. The same report indicates that as many as 950 million users are vulnerable to this exploit.

"If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have," Exodus asked.

The security company pointed out that Google was quietly notified of the flaw in July. According to their blog, Exodus announced the flaw publically after failing to receive a response within Google's 90-day disclose deadline.

Android Watchers Predict Delays with Next Stagefright Bug Fix

Many Android observers expressed concern that Google is not quick enough to address the security exploit that was discovered recently. Last week, Rapid7 security manager Tod Beardsley highlighted the severity of this issue in an interview with the UK's Register.

"Even Nexus devices, which Google has the most direct control over, will have to wait until a September release for an update to the insufficient Stagefright patch," he revealed. "This lag time between having a fix in hand and distributing it to the user base is simply too slow to be reasonably safe."

Beardsley continued by insisting that Google could have responded better to the recent report from Exodus Intelligence.

"Many companies struggle with first contact with researchers reporting vulnerabilities, but this is not Google's first rodeo," Beardsley explained.

Meanwhile, Google insists that Android users are still protected by the Address Space Layout Randomization (ASLR) security feature. The Mountain View-based tech giant told the BBC that 90 percent of Android devices are ASLR enabled.

ASLR apparently complicates the process by which a device is hacked. In theory, the hacker may decide to go after easier prey should the technology be encountered. However, this is not an absolute guarantee.

Stagefright refers to a mechanism that allows Android to process video files being sent via MMS text messaging. Hypothetically, this function opens the way for hacking attacks without the user's knowledge. First introduced with Android 2.2, the Stagefright feature is present in millions of Android mobile devices worldwide.