News Stay informed about the latest enterprise technology news and product updates.

Millions left at risk as Android Stagefright fix pushed to September

The Android Stagefright vulnerability continues to put millions of users at risk because Google's first attempt at a patch did not work, and a new fix likely will not come until September.

Researchers say that the first attempt by Google to patch the Android Stagefright vulnerability was incomplete...

and still left devices at risk to exploit. Google will not be able to push out the full patch until September.

The first attempt at a fix was a bundle of six patches released early last week by Google for its line of Nexus devices. However, researchers found that one of the patches was incomplete, so devices were still at risk after the patch.

The Stagefright flaw was first disclosed by Zimperium zLabs about three weeks ago. The vulnerability could allow remote code execution via an exploit delivered in a specially crafted MMS message. The flaw does affect Android versions 2.2 and newer, but Google has stated that versions 4.1 and newer use memory address space layout randomization (ASLR) which makes a successful exploit much more difficult.

Android version 4.1 and newer make up 91% of the market, according to Google's latest platform statistics. That still leaves millions of older devices at higher risk, but experts say it also lowers the likelihood that enterprises would be at risk, especially those with MDM policies requiring newer devices for employees.  

According to Tod Beardsley, engineering manager at Boston-based Rapid7 LLC, the problem is not a flaw in the Android software, but rather in the process for remediating those issues.

"Shipping vulnerabilities literally happen to everyone, so everyone needs to be prepared to fix vulnerabilities before the bad guys get a chance to exploit them," Beardsley said. "This means having reasonable patch pipelines in place for the inevitable security bug event. The Android ecosystem, today, isn't tooled for this. Patches can hit Google's source tree, but it takes weeks to months to get these patches on the devices in users' hands, with enormous, heroic effort. And even after this heroism, large chunks of the population won't get these patches at all."

Because of Google's patching policies, it is also unclear what versions of Android will be receiving patches at all. Earlier this year in dealing with vulnerabilities in the Android WebView component, Google said it would not provide patches to Android versions 4.3 and older. This would leave the devices at the highest risk for exploit via Stagefright without patches.

Google did not respond to comment requests on this matter at the time of this publication.

Beardsley said it may be time that Google fundamentally rethink the patching process on Android.

"Google recognized the problem of operating system updates when PC Browsers had bugs, and the Google Chrome engineering teams designed in continuous patching. Now, it's practically impossible for regular users to avoid running the latest Chrome," Beardsley said. "I hope the Android teams get to this point sooner rather than later. A month of lag time for a fix for high-profile issues like the ones in Stagefright is a dangerous race to run with malicious actors."

Next Steps

Learn about Google's efforts to keep Android safe from its first official Android Security Report

Dig Deeper on Smartphone and PDA Viruses and Threats-Setup and Tools

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

6 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization have policies on Android devices used by employees?
Cancel
We limit the types of Android devices that users can utilize to connect to the network. Only Samsung devices are allowed but we do not restrict carrier.

We also use an MDM solution to sandbox corporate data. 
Cancel
Do you require a certain version of Android, or that the devices be upgraded regularly?
Cancel
We utilize a mdm and Samsung only devices as well. The native email handler from Samsung does a nice job, eliminating a dedicated 3Rd party outlook client used previously, this removed a potential weak link. 
Cancel
So many android devices with proprietary software and the carriers want to test all the patches/kernel updates. OS version increases before allowing the phone/tablet to be updated. That is dumb. Android itself ought to be able to go to a server and grab the latest patches and updates as they are available and stop with the proprietary software conflicts.
Cancel
I agree that it would be better for the consumer if the service providers quite trying to put their own stamp on the Android OS, and just sold the device without it. Not only would the consumer be able to receive updates much more quickly, but I would also think that the OS would be less buggy because there would be fewer code changes by developers that did not write the original code for whatever version of android the device ships with.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close