The Stagefright scare isn’t over, other people. The Android malicious program, which would allow a devious hacker to take full control of your phone by sending you a message, has been within the information closely in up to date weeks, and it brought on a quick response by Google, carriers and OEMs to get devices patched up ASAP. The patches have been rolling in like a vicious typhoon.
But there’s explanation why to consider we aren’t out of the woods but. While Google patched the initially stated Stagefright CVEs (not unusual vulnerabilities and exposures), the corporate it sounds as if lost sight of any other that may be still extensive open for the taking.
That so much was found out through safety analysis company Exodus Intel, who went into detail with code examples of ways there are still nasty insects floating round within the multimedia library. The new revelations are most probably the results of the greater publicity and media consideration of Stagefright. It was it seems that all of the communicate at a few contemporary safety meetings, as smartly, and the ones men have been unquestionably poking round in Stagefright to peer if they may discover one thing Google and Zimperium would possibly have initially overlooked.
So what’s Google doing approximately it now? Exodus disclosed the vulnerability and submitted a patch for Google on August seventh — the similar day that the Blackhat convention started. It at the start didn’t get so much consideration through Google in advance of pushing the present Stagefright patches, however the corporate did ultimately settle for the brand new fixes and are making plans to push them out to Nexus handsets within the September version in their new per thirty days crucial patch dedication. As for different OEMs, Google has already despatched the code off to OEMs to patch it in themselves.
If you have Zimperium’s Stagefright detection app you’ll most probably have an update that exams for the brand new vulnerability, which was assigned a CVE choice of CVE-2015-3824. Lookout’s Stagefright detector was now not up to date for the brand new CVE as of the time of this writing, so if it’s telling you the whole thing is OK, it’s most likely now not correct.
The lesson being discovered in all that is that safety threats are neverending, however fortunately the researches who discover this stuff are accountable and rapid, and Google is similarly rapid of their reaction. Whether it’s Stagefright or any other large vulnerability, extra will proceed to pop up, and Google’s new means for unexpectedly addressing them will have to optimistically lend a hand mitigate critical injury that may be performed. We’ll be in search of information on apply-up patches within the close to long run.
[Update]: User zlatty down within the feedback segment unearths to us that the up to date CyanogenMod builds do, if truth be told, have absolutely the up to date Stagefright fixes, so kudos to them!
[by the use of Threatpost]