Summary: StageFright patch flawed – 950 Million Android users still vulnerable.
Jordan Gruskovnjak / @jgrusko (technical details) and Aaron Portnoy / @aaronportnoy (commentary) in Stagefright: Mission Accomplished? offer these findings on the StageFright patch from Google:
- The flaw was initially reported over 120 days ago to Google, which exceeds even their own 90-day disclosure deadline
- The patch is 4 lines of code and was (presumably) reviewed by Google engineers prior to shipping. The public at large believes the current patch protects them when it in fact does not.
- The flaw affects an estimated 950 million Google customers.
- Despite our notification (and their confirmation), Google is still currently distributing the faulty patch to Android devices via OTA updates
- There has been an inordinate amount of attention drawn to the bug–we believe we are likely not the only ones to have noticed it is flawed. Others may have malicious intentions.
- Google has not given us any indication of a timeline for correcting the faulty patch, despite our queries.
- The Stagefright Detector application released by Zimperium (the company behind the initial discovery) reports “Congratulations! Your device is not affected by vulnerabilities in Stagefright!” when in fact it is, leading to a false sense of security among users.
Read the full post by Jordan Gruskovnjak and Aaron Portnoy for technical details and commentary on this failure to patch StageFright.