A few updates to the Android StageFright vulnerability:
First, Google has promised a patch release for the issue this week, but where is it? Second, Samsung has been said to have released a patch for their applicable devices.
While blocking SMS/MMS messages from unknown sources is a great start, you should also disable automatic download of these messages. However, this will not fully protect you. Viewing a webpage with a specially-crafted malicious video can exploit the vulnerability as well. This really makes this issue a tricky one. How many users can really say they are able to identify a "sketchy" link or site with a high level of certainty? Not to mention, watering hole attacks and malvertising can throw that precautionary step right out the window.
Over at StackExchange, this post discusses a proof-of-concept mp4 video file that appears to exploit an overflow condition in one of the StageFright components. I cannot personally vouch for the file, but I did perform a brief analysis of it in a hex editor. It appears to define a field, named 'tx3g' that is very long, possibly causing the overflow condition. Details will be released over the next day or two by Joshua Drake aka JDuck, so expect more concrete PoC information to surface by weeks end.
Update: Below are links to the patches provided to Google for the issues. All of these are integer overflow or underflow issues.
https://android.googlesource.com/platform/frameworks/av/+/0e4e5a8%5E!/
https://android.googlesource.com/platform/frameworks/av/+/5c134e6%5E!/
https://android.googlesource.com/platform/frameworks/av/+/030d8d0%5E!/
No comments:
Post a Comment