Stagefright 2.0

Not a lot of details to go on yet, but there’s rumours going around that the problems surround multimedia previews in Android are not over, with some hailing it as the return of Stagefright, a.k.a. Stagefright 2.0 (e.g. here). It will be interesting to see which versions of Android Google (and then Fairphone) are going to patch, now that Android 6.0 has been released. The comments in the linked article seem pessimistic about versions <4.4, but I don’t think anybody really knows anything yet.
If anyone does know more about this, or on workable ways to mitigate risks, I’d be interested to know more!

6 Likes

Uh oh. Let’s hope FairPhone can issue a patch for this.

1 Like

Although I enjoyed this part of the Register article:
“People owning the 20 per cent of devices running Lollipop or later are
probably wealthier than others, and therefore more attractive targets”,
I found this one a little more balanced/less alarmistic and also slightly more informative:

Don’t know if the ASLR feature (Android 4.0 and upwards) that was said to at least reduce vulnerability vis-á-vis Stagefright 1.0, also reduces the risk from Stagefright 2.0

And remember, there are no known exaples of exploits, so far it’s a theoretical vulnerability only. AFAIK there are no known examples of exploits by Stagefright 1 either. So even if it is true that it would take just one text to hack 950 million Android phones (Forbes headline in August), it hasn’t been sent yet.

2 Likes

Belated update: apparently patches have been issued for all versions of Android. See for example [here][1]. Not quite sure what they were thinking, however, when they wrote this:

To reduce the chances of getting infected by Stagefright 2.0 and other malware that exploits the same vulnerabilities, Google advises Android users to update to the latest version.

As I have the feeling that it’s not choice that is holding people back.

I can imagine that Fairphone will take a while to fix this in Fairphone OS, with a small team and a new phone coming up for which details (or lack thereof) about the software that have been released give the impression that they are probably working flat out on solving that first. At least these bugs don’t seem to be exploited in the wild (so far).
[1]: http://www.techtimes.com/articles/91962/20151007/google-releases-security-patch-to-fix-stagefright-2-0-holes.htm

1 Like

Getting some kind of statement from Fairphone would be good.

Does FP1 need another update for the new vulnerabilities, or are we safe?

2 Likes

The latest issues have not been patched, and at least one of the apps to check for vulnerabilities reports the device as vulnerable (see here). So in time there probably/hopefully will be a patch.

Yes, there needs to be a new update. May I summon some Fairphone people: @Stefan @anon90052001 please comment.

Thank you, @ace28, but I’m not exactly “Fairphone people”… :wink: At least I am not employed by Fairphone, I am voluntarily active in the community. :slight_smile:

I think Fairphone are extremely busy getting the FP2 sorted, so at the moment I don’t think there will be a new update until they can put resource back into it.

2 Likes

I am sorry, you where just one of the moderators that I remembered :wink:

@Chris_R I see. But I think this security threat should stay in consciousness. So what Can I do? Would it be bad if I keep putting some replies here every now and then to heave this thread to the upper part of the threads again?

I contacted Fairphone support for a statement. As soon as I hear from them, I’ll post here.

3 Likes

It’s better to directly contact Fairphone, like @7adietri has done, and post the results here. :slight_smile:

2 Likes

Support just sent a reply:

Our software development is aware of Stagefright 2.0 and this is in
scope. Though, it is still not really clear if this has influence on
Fairphone 1 or not (at least that was the last I heard). But we are
working on this and hope to have an news soon.

So it’s definitely on the radar. I guess they’re pretty busy with FP2 right now, too.

4 Likes

Is it too early to post a reminder? :sweat_smile:

1 Like

One more month has passed.

Hey, I have Koala Nut 1.8.7 installed - and stagefright detector (the one by Zimperium) just found 2 critical issues (codes CVE-2015-3876 and CVE-2015-6602).

I just sent an email to Fairphone support and got an automated reply that responding may take some time because of many support requests.

Does anybody here know what to do?

Fairphone is working on an update to Android 4.4.4 for FP1(U), which they hope to finish in September (though I wouldn’t be too surprised if it will be a bit later in the end). This should include the latest security updates.

I haven’t heard of these security issues being actively exploited so far, so there’s not that much to do other than following general advice such as not installing apps you don’t trust, avoiding links in dodgy e-mails and using common sense. Oh, and I recommend avoiding using the ‘Browser’ app; install any other trustworthy browser instead (because of some other security issues - this too should be fixed in the 4.4 update).

2 Likes

thank you!! by the way, do you have a recommendation on what browser app to use?

There’s a topic with a bunch of suggestions here, though the discussion is mainly between people looking for highly customisable/lightweight/open-source browsers:


Personally, I’m (mainly) using Firefox, but I’ve been meaning to see whether switching to something else as default browser would work for me.

2 Likes