This site may earn chapter commissions from the links on this page. Terms of use.

android triangle

Android has had a number of security scares over the years, just the Stagefright bug that was made public over the summer spurred Mountain View to action like never earlier. Patches have already rolled out for that problems, but at present security house Zimperium has announced a 2nd circular of Stagefright exploits that aren't covered by the get-go patch. Zimperium researcher and VP Joshua Drake says the new Stagefright vulnerability is as dangerous as the showtime. The skilful news? Google already has patches ready to go.

Despite the scary name, Stagefright isn't actually the name of an exploit. It refers to the multimedia engine library in Android known as libstagefright. The new vulnerability in Stagefright is like to the first ane, but the attack vector is dissimilar. Stagefright 1.0 relied upon MMS messages to trigger processing of a malicious media file past Stagefright. This could theoretically be used to run capricious code on the device. The new issue involves targeting devices via web pages hosting the malicious media files (an MP3 or MP4). The effect is the same — the attacker can run code via the Stagefright library on your device.

The new Stagefright bug actually involves two system components, one of which is libstagefright. The relevant bug for this ane was only introduced in Android 5.0, then the headlines claiming a billion affected devices are just telling half the story. Stagefright 2.0 involves libstagefright making a call to a library called libutils in a vulnerable way — that's the cadre of the exploit. The libutils library has been in Android since one.0, and so every device has this bug. It's possible that other system components could make a similarly dangerous API phone call, so it however needs to exist patches ASAP. Nevertheless, Stagefright 2.0 in its current form is technically only dangerous on Android 5.0 and higher.

stagefright

Google was notified by Zimperium in accelerate of the vulnerability and has developed patches that will exist rolled out in the October fifth Nexus update. That's besides the update that brings Android 6.0 to Nexus devices, so all builds of Marshmallow should accept this vulnerability patched. Other Android devices need to await on updates from the OEMs and carriers, but Samsung and LG have already pledged to push button out security updates on a monthly basis. This has always been the trouble with Android security patches, just information technology should be a little better this time around.

In the concurrently, should you panic? Just similar the first Stagefright exploit, there'due south no evidence this vulnerability has ever been used in the wild. Information technology'due south important to realize that Stagefright itself isn't harmful to your device, it's merely a potential way in. An assailant notwithstanding needs code that does something to the device, be that steal data or gain root access on the organization. These are very difficult exploits to uncover in Android these days.

The Stagefright problems isn't pretty, merely the sky is not falling.