Friday, 2 October 2015

StageFright 2.0: Android Phones Vulnerable To New Stage Fright Leak

Millions of devices with Android are vulnerable because of a new vulnerability in the Stage Fright-media library and a security update from Google is not yet available. Reported security Zimperium. Stage Fright is a library that handles a variety of media formats.

A problem in the handling of MP3 or MP4 files ensures that an attacker could execute arbitrary code in the worst case to the unit. In late July, investigators were already several vulnerabilities in the Stage Fright library known. These include leak made ​​it possible to attack Android devices via MMS messages. The two now discovered vulnerabilities as "Stage Fright 2.0 identified". The first vulnerability is present in every Android device since version 1.0 was launched in 2008.

The researchers discovered a second leak making them the first leak on devices with Android 5.0 and newer can attack if a specially crafted MP3 or MP4 file is processed. Older phones may be at risk if the vulnerable component is invoked via third party apps or placed by the operator on the phone.

The primary attack vector for the first Stage Fright-leakage was via MMS, but this is in new versions of the Google Hangouts, and Messenger apps no longer possible. The researchers therefore see the browser as the main attack vector. An attacker could entice a user for example to a website or may execute the exploit via a man-in-the-middle. Google was informed on August 15 about the problems, but a patch is not yet available.

No comments:

Post a Comment