[bestbits] vulnerability in android devices named "Stagefright"

Wisdom Donkor wisdom.dk at gmail.com
Fri Mar 18 20:27:43 EDT 2016


Dear All,

A new exploit for the vulnerability in android devices named "Stagefright"
has been announced.The Stagefright bug was discovered by Joshua Drake from
the Zimperium security firm, and was publicly announced for the first time
on July 27, 2015. Prior to the announcement, Drake reported the bug to
Google in April 2015, which incorporated a related bugfix into its internal
source code repositories two days after the report.In July 2015, Evgeny
Legerov, a Moscow-based security researcher, announced that he found at
least two similar heap overflow zero-day vulnerabilities in the Stagefright
library, claiming at the same time that the library has been already
exploited for a while. Legerov also confirmed that the vulnerabilities he
discovered become unexploitable by applying the patches Drake submitted to
Google.

On the 17th March 2016 a group of Israeli researchers cracked the challenge
by crafting a reliable exploit for the Stagefright vulnerability that
emerged in Android last year.
Millions of unpatched Android devices are vulnerable to their crack, which
bypasses Android's security defenses. Visiting a hacker's webpage is enough
to trigger a system compromise.
Stagefright is the name of a software library used by Android to parse
videos and other media; it can be exploited by a booby-trapped message or
webpage to execute malicious code on vulnerable devices.

Certain mitigations of the Stagefright bug exist for devices that run
unpatched versions of Android, including disabling the automatic retrieval
of MMS messages and blocking the reception of text messages from unknown
senders. However, these two mitigations are not supported in all MMS
applications (the Google Hangouts app, for example, only supports the
former),and they do not cover all feasible attack vectors that make
exploitation of the Stagefright bug possible by other means, such as by
opening or downloading a malicious multimedia file using the device's web
browser.

Further mitigation comes from some of the security features built into
newer versions of Android that may help in making exploitation of the
Stagefright bug more difficult; an example is the address space layout
randomization (ASLR) feature that was introduced in Android 4.0 "Ice Cream
Sandwich" and fully enabled in Android 4.1 "Jelly Bean".The latest version
of Android 5.1 "Lollipop" includes patches against the Stagefright bug.

Cheers,





*WISDOM DONKOR (S/N Eng.)*
ICANN Fellow / ISOC Member, IGF Member, Diplo Foundation
OGP Working Group Member, Africa OD Working Group Member
E-government and Open Government Data Platforms Specialist
National Information Technology Agency (NITA)
Ghana Open Data Initiative (GODI)
Post Office Box CT. 2439, Cantonments, Accra, Ghana
Tel; +233 20 812881
Email: wisdom_dk at hotmail.com
wisdom.donkor at data.gov.gh
wisdom.dk at gmail.com
Skype: wisdom_dk
facebook: facebook at wisdom_dk
Website: www.nita.gov.gh / www.data.gov.gh
www.isoc.gh / www.itag.org.gh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/bestbits/attachments/20160319/3a00f1b3/attachment.htm>


More information about the Bestbits mailing list