Android exploits receive a lot of attention because its openness makes good subject matter for commercial and academic security research. Security researchers as well as cybercriminals are drawn to read the source code for different reasons – one to protect, the other to compromise. Does that mean that Android is at greater risk for security exploits? We don’t know. In contrast, Apple can update its devices more quickly because it controls all the hardware and all the software. Google is dependent on the hardware makers to update their devices, and, in turn, sometimes the hardware makers are dependent on the mobile carriers to pass through the updates. Other than the Nexus mobile devices sold through the Google Play Store, though, Google can’t directly update Android over the air. The exploit is named after the Stagefright media framework that was introduced in Android 2.2 that supports local file playback and HTTP progressive streaming. By default, the video is downloaded automatically on arrival. In this case, this buffer-overflow occurs when a video contaminated with malicious code is received by the default Android MMS and Hangout messaging apps. Typically, a buffer-overflow exploit writes data to memory until it overflows into a memory location used to execute code. In short, a 3GPP video can be given a string of metadata that, at first, exceeds a certain length, and in the end includes machine code that lands in memory that is off-limits to the application.” “t appears that certain fields in 3GPP video metadata are vulnerable to buffer overflow attacks. They’ve undergone much study by university and commercial security researchers, and many different defenses have been formulated.Ī posting on describes the Android Stagefright problem: Buffer-overflow exploits have long been a staple used by bad actors to attack every kind of computing device. The Android Stagefright vulnerability falls into the category of a traditional buffer-overflow exploit. Google’s partners will receive the corresponding source code updates each month for inclusion in similar OTA updates. Today’s update marks the beginning of a regular monthly cycle of over the air (OTA) updates to Nexus devices that are purely focused on security to keep users safe. As Drake told NPR, “Within 48 hours I had an email telling me that they had accepted all of the patches I sent them, which was great.” Drake also confirmed Google’s assessment, stating “ does not believe that hackers out in the wild are exploiting it.” It was subsequently reported in Forbes, Fortune and Wired, followed by a deluge of related stories across the tech blogosphere.ĭrake had reported the vulnerability to Google in April. A few days after the tweet, Drake gave an interview about the Stagefright vulnerability to National Public Radio (NPR). It began when Joshua Drake – security analyst with Zimperium who discovered the vulnerability – tweeted about it to promote his Black Hat talk about his discovery, pointing to his place on the conference schedule. The surge in interest in the Stagefright vulnerability was precipitated by the Black Hat security conference taking place in Las Vegas. At the Black Hat security conference this morning, Adrian Ludwig, Google’s lead engineer for Android security, assuaged fears about the recent Android Stagefright vulnerability reported to affect nearly a billion Android devices.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |