Isn’t it common practice for someone finding security issues to contact the project first and leave them some time to prepare patches before going public? The latter being a way to “forcing” the project to act if it wants to ignore the problem?
Google has been informed and “confirmed the patches were accepted and would be included in a future release”
MMS and their automatic download is only one vector to exploit that vulnerability on android phones.
Not really.
It improves security, but since “the weaknesses resides in Stagefright, a media playback tool in Android” MMS is only one possible way to bring malicious image-files onto a Android device. It could also happen through e-mail, surfing the web, or displaying images in an app (especially such with user-content like social-media apps).
Someone at SlashDot suggested inserting
media.stagefright.enable-player=false
into build.prop. At xda-developers, they even posted
media.stagefright.enable-player=false
media.stagefright.enable-meta=false
media.stagefright.enable-scan=false
media.stagefright.enable-http=false
media.stagefright.enable-rtsp=false
media.stagefright.enable-record=false
If that works, it should help for all apps.
1 Like
that’s what the rest of the sentence you half-quoted was for. oh well
Stagefright shouldn’t have anything to do with the processing of images, just with video and audio. Of course, if you have other apps besides the stock messaging app that do processing (downloading is not enough) of untrusted video / audio content automatically and without user interaction, you might want to take care of that, too…
Hi,
just a quick note that we are aware of the problem and are working on a fix. This most likely will result in a new software update. We have to balance the current known risk with the possibility that more information gets known after the Black Hat presentation and we do want to prevent having to force our users to update twice. For short we are working on a fix but do not know yet when we will release it.
7 Likes
FYI: A new Android Media Server vulnerability was made public of which FP1[U] owners are safe because only Android version 4.3 and newer are affected.
Some “toggle” app that would just do this (switching that property to false) would be welcome… But I’m not sure it’s easy to do, since the system is read-only by default.
In the meanwhile I adjusted the Autodownload feature following Kephson’s method.
There’s a build.prop Editor in the Google Play Store. Quote: “Root and busybox are required for this app to work correctly” - Yeah, we do have that…
That said, I have yet to see confirmation that these setting mitigate the StageFright issue. But it sure looks like it.
So it looks like we’ll be getting a fix for this. You know, I love that little fact because it shows that despite being stuck to Android 4.2, FP1 owners are still better off than people who have “A-brand” phones that are stuck on 4.2 as well (or even 4.3 and 4.4)
3 Likes
Although I loathe the fact that we will be stuck on 4.2 my main concern was indeed about security. So this sounds promising indeed!
1 Like
See the disclosure timeline at the end of this post from Trend Micro http://blog.trendmicro.com/trendlabs-security-intelligence/mms-not-the-only-attack-vector-for-stagefright/
I understand all image processing is compromised, also stuff you receive via WhatsApp or similar applications. You can turn off auto-download in WhatsApp as well though (settings -> chat settings -> media auto-download -> set everything to “no media”)
A fix via the software update should really be supplied by the fairphone team as not all users will act on their own.
This update should happen better sooner than later, as browser and MMS are affected from this bug and turning off active MMS fetching does only reduce the risk slightly, as malicious MMS can still be fetched by a naive user.
@anon90052001: Your update is 8 days old: Please keep the community updated. We depend on you and can not act on our own behalf, as the source code of your OS is still (and as far as I know) never will be, really open.
FYI: German Telekom has temporarily disabled reception of MMS. Users instead get a SMS informing them that a MMS has not been delivered.
As reported by Heise (german only, AFAICT)
Hi Kees,
any news when the fix will be released?
All the details about the vulnerability are public since some time now so we should assume that the first exploits are in the wild right now.
[Update]
Forgotten to mention this blog post from Zimperium which contains two archives with POC files and patches.
Hi all, sorry for the wait.
Latest news (6 August):
The software team has a fix for the security issues under discussion, ie the Stagefright bug. They are working on a build and testing it now. We have to balance getting this update out as soon as possible, and having a reliable support infrastructure for all users. So we’re going to release it in two stages.
For advanced users, next week we plan to have a .zip file to download the fix manually through our support site.
For all users, the current schedule is that the week after next to release the software update with the fix over-the-air over Wi-Fi.
Thanks for your patience as we get this out. It’s a security issue we take seriously and want to deliver it to all Fairphone owners ASAP.
12 Likes
Could you please include the FireFox scrolling fix in it? 
5 Likes
The touchscreen fix will be indeed be included. So hopefully no more touch glitches when using FF.
7 Likes