Fairphone patch for the Stagefright vulnerability

Hmmm, my Fairphone updater tells me the phone is up-to-date, but it is on 1.8.5

The 1.8.7 update is not an official release yet but can be manually installed. (by “advanced users”)

Strange: that is not reflected on https://fairphone.zendesk.com/hc/en-us/articles/205679425-Software-update-1-8-7-log-August-2015

Hello,

There’s a twist to the story about security fixes to the Stagefright bug. Yesterday, security researchers from Exodus Intelligence reported that a security vulnerability related to Stagefright was not included with the official patches from Google. That means, the updates posted yesterday (and those sent to Google devices and other brands/operators) still have a vulnerability. Therefore, we are working on a new software update to incorporate these latest security patches. Luckily, they should be ready soon. Our estimate is that they will be ready early next week.

In the meantime, we are updating our support articles and removing the files of the 1.8.7 update that is missing the recently discovered security patch.

Once we have the final software update (expected early next week), we will write all Fairphone owners and be able to send the update over Wi-Fi. Thanks for your patience.

Thank god I did the upgrade to 1.8.7 already and have the “Firefox fix”.
I’ll be waiting for the 1.8.8.

The build for next week will contains the latest fixes (and a new build number) but the name will remain 1.8.7. The process of creating a release, updating the documentation does not allow for us to increase version number and release on such short notice.

Current 1.8.7 users will also be prompted to upgrade their operating system.

That sounds like “We can release patches on quick notice, but our bureaucracy system forbids the quick increase in version numbers.” If it is so, you might need to think about changing some things…

Hi HackAR, as mentioned the process of creating a release does not only involve integrating a patch and sending it to our users. It also involves things like translation,testing, updating upgrade tutorials and such. I won’t go into discussion here and merely provided the required information to correct your wrong assumptions.

Ik get the same thing. Perhaps we will be able to update, when the 1.8.7 is definitive (see newer reactions)?

Yes, this it taking longer than expected as we are, among other things, running additional tests. Hence the delay.

Hello,
It is great that Fairphone will be one of the first smartphones to get a patch for the Stagefright vulnerability. This is IMHO a really good customer service.
It seems that a new vulnerability (not related to Stagefright, though) has been found, which probably also affects the Fairphone:

Anyway, I think it is probably rather frustrating for the developers that security bugs seem to be popping up everywhere at the moment. I wish you the endurance and all the best to fix them.

I take part in the closed beta. It seems that Fairphone plans to release an update with the fix for the stagefright issue over-theair (OTA) first, to not further delay this.

A fix for CVE-2015 will probably come later.

I applaud your positive attitude .

Well, a lot of other smartphones (albeit released more recently than the Fairphone) will probably not receive a fix at all, so I am quite happy that Fairphone is committed to the release of security fixes for the near future.

I also just saw the generic update offer at this moment.
Do I understand correctly that this patch only concerns android version 1.8?
TIA
(as my simcards don’t handle MMS the whole point is not an issue for me, but since I bought my phone that would be the very first time leaving version 1.6 is related to something significant for me…)

This is not about MMS, it’s about the Android library for video and audio processing

I am not quite sure i understand correctly. Fairphone OS 1.6 is affected by this security issues as well as all other Fairphone OS versions below 1.8.7
If you want to get the security updates, you need to update to Fairphone OS 1.8.7, therefore leave 1.6.

Thanks for this, and sorry if I misunderstood -but I heard the only ‘auto-trigger’ possibility was lying in a software that I am not using, and within MMS potentially being pre-loaded (thus ‘executed’ without my consent). That’s why I was talking about MMS.

If my v. 1.6 the way I use it is still OK (I never watch videos on my phone), I probably won’t upgrade, merely because I understood leaving to 1.7 would basically blank my phone, requiring an enormous setup process I’m not available to respend at this moment…

Hi all,

As we discussed on 14 August, last Thursday/Friday security researchers discovered still-existing vulnerabilities in the Stagefright fix that was being shipped around in Google devices as well as our own build. Therefore, we have been working to make a new build, perform thorough testing and make sure our support and tutorial infrastructure was ready.

The plan is to release the manual installation and over-the-air Wi-Fi update early next week, week of 24 August.

If you have already installed the update last week manually, you will also get a notification over Wi-Fi when the new update is available.

Thanks for your patience-

Not at all. As long as you don’t do the Storage Upgrade, you will only have to reinstall Google Apps.

Actually, MMS is just one way to attack using Stagefright. The problem with receiving an (auto downloaded) MMS is that the media within the MMS is displayed in the notification area. Other apps that have similar behavior are methods of attack as well. Examples include, but are not limited to Google Hangouts, WhatsApp and possibly other messaging apps as well.