Monday, July 27, 2015

StageFright: Critical Android MMS bug affects an estimated 95% of Android Devices

A flaw has been discovered affecting Android devices that allows an attacker to execute arbitrary code via a MMS message without user interaction. What does this mean? Someone, anyone. can send you a malicious MMS (SMS aka "text" message with multimedia attachment) that, upon receipt, will execute on your phone without you doing a single thing. Here is a more detailed read by the folks who discovered it. It will likely be referred to as "StageFright", as this is the back-end component that is affected. There were a total of 7 issues discovered, covered by the following CVE's:

CVE-2015-1538 CVE-2015-1539 CVE-2015-3824 CVE-2015-3826 CVE-2015-3827 CVE-2015-3828 CVE-2015-3829 - See more at: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/#sthash.fhyCvVdG.dpuf
CVE-2015-1538 CVE-2015-1539 CVE-2015-3824 CVE-2015-3826 CVE-2015-3827 CVE-2015-3828 CVE-2015-3829 - See more at: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/#sthash.fhyCvVdG.dpuf
CVE-2015-1538 CVE-2015-1539 CVE-2015-3824 CVE-2015-3826 CVE-2015-3827 CVE-2015-3828 CVE-2015-3829 - See more at: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/#sthash.fhyCvVdG.dpuf
Mitre: CVE-2015-1538
Mitre: CVE-2015-1539
Mitre: CVE-2015-3824
Mitre: CVE-2015-3826
Mitre: CVE-2015-3827
Mitre: CVE-2015-3828
Mitre: CVE-2015-3829

How can I protect myself? 

While a vendor patch is the only way to be fully protected, disabling auto receipt of MMS messages is one way to prevent the automatic execution of arbitrary code for this issue. I haven't seen this being talked about much yet, so spread the word!

In Hangouts:

Menu -> Settings -> SMS -> Auto retrieve MMS - uncheck this



In Messenger:

Menu -> Settings -> Advanced -> Auto-retrieve - turn this to 'off'


The bug finder, Joshua J. Drake (aka jduck), will be speaking at BlackHat 2015 about this issue in early August. Hopefully, patches will be delivered before then. At the very least, we all have a jump on this issue before it gets too ugly. Certainly, with the large number of devices affected and severity of the issue, it won't be long before exploit attempts will be observed in the wild. Be aware.

Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)