Get the lowest-cost and the best server colocation service in the business. Learn more.
Information Technology News.

Google gets ready to fix the StageFright security bug in Android

Share on Twitter.

Get the most reliable SMTP service for your business. You wished you got it sooner!

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

August 6, 2015

If you're using an Android phone, you have reasons to be concerned, but don't worry, since Google said it will repair the StageFright security flaw in its operating system in the next few days.

Adrian Ludwig, lead engineer for Android security at Google said: "My guess is that this is the single largest software update the world has ever seen. Hundreds of millions of devices are going to be updated very soon."

All Nexus devices are going to be patched, and Samsung, Motorola, HTC, LG, Sony, Android One, and hundreds of other manufacturers are also going to push out the patches, he said.

Some mobile handset vendors, like Silent Circle, have already patched their operating systems, he added.

"With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner," said Dong Koh, vice president of Samsung Electronics, Mobile R&D Office.

"Since software is constantly exploited in several new ways, developing a faster response process to deliver security patches to our devices is critical to keep them protected. We believe that this new process will vastly improve the security of our devices and will aim to provide the best mobile experience possible for our users," added Koh.

Additionally, Google, Samsung and LG have made a commitment to send out monthly security patches to users that will repair any upcoming issues in the operating system.

Those updates have been sent out to manufacturers for several years already, but now end users will get them as well, and they will continue for at least three years after the launch of any new mobile handset.

"We've looked at the events of the last few weeks and realized that we need to move faster, and that we need to tell people what we are doing," Ludwig said.

The Stagefright security flaw was a serious issue, with 95 percent of devices potentially vulnerable, he said, but there were mitigating factors.

Android Jellybean 4.1 or later devices had address space layout randomization (ASLR) to block memory exploits, he said, and this bought enough time to sort out the problem.

As for the other Android security flaws from last week-– Trend Micro's discovery of an integer overflow bug in Android's media server service, that too will be fixed by the end of this week.

The security bug allowed phones to be crashed and silenced due to errors in video handling, and a fix is now in place despite Google initially dismissing the issue as a low priority.

"Google's messenger app gets updated by end of the week so it won't build dynamic media thumbnails," Ludwig promised. "Thumbnails are going to be very boring for the next week..."

And it's not just about the updates-- Google is investing considerably in better securing the Android ecosystem and blocking apps that could be considered malware, Ludwig promised.

In June, Google announced Security Rewards for Android, a bug bounty scheme specifically for the mobile operating system.

The rewards include smaller payouts for simple bug finding, similar to the bounty system for Chrome, but for full exploit chains showing a bug, exploitable proof of concept, and resulting in gaining access to the TrustZone in Android, the payout could net up to $38,000 for researchers.

App developers are also going to be getting warnings if their code is found to break the rules, either inadvertently or by design.

So far, Google has warned developers about more than 60,000 applications, but Ludwig said he wanted that number reduced to absolute zero in the long run.

Source: Google.

Get the most dependable SMTP server for your company.

Share on Twitter.

IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

All logos, trade marks or service marks on this site are the property of their respective owners.

Sponsored by Sure Mail™, Avantex and
by Montreal Server Colocation.

       © IT Direction. All rights reserved.