The Stagefright scare isn’t over, folks. The Android bug, which would allow a devious hacker to take full control of your phone by sending you a message, has been in the news heavily in recent weeks, and it prompted a quick response by Google, carriers and OEMs to get devices patched up ASAP. The patches have been rolling in like a vicious storm.
But there’s reason to believe we aren’t out of the woods yet. While Google patched the originally reported Stagefright CVEs (common vulnerabilities and exposures), the company apparently overlooked another that is still wide open for the taking.
That much was revealed by security research firm Exodus Intel, who went into detail with code examples of how there are still nasty bugs floating around inside the multimedia library. The new revelations are likely the result of the increased exposure and media attention of Stagefright. It was apparently all the talk at a couple of recent security conferences, as well, and those guys were surely poking around in Stagefright to see if they could uncover something Google and Zimperium might have originally missed.
So what’s Google doing about it now? Exodus disclosed the vulnerability and submitted a patch for Google on August 7th — the same day that the Blackhat conference began. It originally didn’t get much attention by Google ahead of pushing the current Stagefright patches, but the company did eventually accept the new fixes and are planning to push them out to Nexus handsets in the September edition of their new monthly critical patch commitment. As for other OEMs, Google has already sent the code off to OEMs to patch it in themselves.
If you have Zimperium’s Stagefright detection app you’ll likely have an update that checks for the new vulnerability, which was assigned a CVE number of CVE-2015-3824. Lookout’s Stagefright detector was not updated for the new CVE as of the time of this writing, so if it’s telling you everything is OK, it’s probably not accurate.
The lesson being learned in all this is that security threats are neverending, but thankfully the researches who uncover these things are responsible and fast, and Google is equally fast in their response. Whether it’s Stagefright or some other big vulnerability, more will continue to pop up, and Google’s new approach for swiftly addressing them should hopefully help mitigate serious damage that could be done. We’ll be on the lookout for news on follow-up patches in the near future.
[Update]: User zlatty down in the comments section reveals to us that the latest CyanogenMod builds do, in fact, have the absolute latest Stagefright fixes, so kudos to them!