Google bugle sounds patch release for Android Stagefright 2.0

Samsung and LG, but what about HTC?

Android icon desktop toys

Google is slinging new patches at the Stagefright Android-goring vulnerability revealed last week.

The fixes will prevent malicious video and music files from exploiting StageFright 2.0 holes present in all Android devices.

The new plugs stopper two remote-code execution flaws billed as the second iteration of the original Stagefright vulnerability.

Zimperium researcher Joshua J Drake reported the security bugs (CVE-2015-3876 in libstagefright, and CVE-2015-6602 in libutils) to Google that affects all Android handsets in use.

The patches squash 30 vulnerabilities in total.

Users will need to be lured to a phishing page or be served malvertising to be hacked, two attack vectors that are as common as they are effective.

There are no reports of attacks in the wild, however.

It is unclear what devices will receive the patches although Google, Samsung, and LG are pushing for monthly fixes.

Vulture South has asked the phone giants to explain the scope of their monthly patch pledges.

Nexus owners and those tapping straight into ASOP have access to the patches as of the time of publication.

Users of HTC devices will probably have to wait if a tweet by CEO Jason Mackenzie is anything to go by.

Mackenzie says the company will "push" for monthly updates but says it is "unrealistic" for manufacturers to guarantee the schedule.

The remaining Android user base who own devices from less popular vendors are at the mercy of manufacturers and telcos. Some vendors do not bother integrating updates into their custom ROMs, while telcos may not care to distribute those updates that are released.

For this reason users may opt to root their devices and migrate to supported custom ROMs such as Cyanogenmod, Paranoid Android, or Nameless ROMs. ®




Biting the hand that feeds IT © 1998–2018