Stagefright vulnerability (disable MMS auto-download)

[EarlyMon]

Here's what I find funny.. 99.9% of ppl didn't even know this exploit existed! Which means that NOW everyone DOES know about it and can try to make use of it. Kind of like the US televising in depth all the holes in national security and now "terrorists" know WHERE & HOW to hit the country. Like.. "Hey, over HERE!"
Bad idea in general for both examples, IMHO.

Well - it's a growth industry on both sides.

Not to mention all of the "solutions" that are sure to follow. Fear not good android users, I'm sure some security genius like Cheetah Mobile will find a fix in no time [emoji6]

For those unfamiliar, the Cheetah Mobile reference was sarcastic - those familiar are lol.

 

[zuben el genub]

I just feel that if it was worth exploiting years ago - it would have been done especially if there was money to be made either from the exploit or the cure. The only thing that has changed between 2.2 and 4.4 is the size of the data plans sold for the phones. (hardware and software, too, but still vulnerable to exploits) Unlimited everything - does that equal unlimited sized mms, or MP4 movies? I'm limited to 300K.

To be honest, I was waiting for the discovering company to sell something.

The biggest patch needed is common sense and elbow grease which we'll never get - don't be too lazy to use the workaround if it inconveniences you.

 

[EarlyMon]

Unlimited data does not equal unlimited size MMS. There's a practical size limit imposed by carriers due to infrastructure. Varies by carrier.

Beyond MMS, most devices stop at 2 GB file sizes due to the way that phone storage is handled.

 

[El Presidente]

http://phandroid.com/2015/08/06/lg-...ey-too-will-release-monthly-security-updates/

LG committing to monthly security updates too.

 

[AZgl1500]

Sigh, Verizon won't be bothered with this stuff....
there just isn't any money in it for them to do so.

 

[bcrichster]

I just thought of something.. Did the "discoverer" of said exploit write a script or do anything to prove it beyond a theory?

 

[EarlyMon]

I just thought of something.. Did the "discoverer" of said exploit write a script or do anything to prove it beyond a theory?

Yeah.

 

[Bearsyzf]

@EarlyMon, what would I do to protect my Note 4 from this ?

 

[EarlyMon]

@EarlyMon, what would I do to protect my Note 4 from this ?

For the moment, use Textra or chompSMS, verify that the Stagefright protection is on (it is by default), don't open MMS messages from strangers and don't worry about it. Don't download videos from the web unless part of a trusted service like Google, Amazon, etc etc.

We're only now starting to get a clear picture without all of the hype.

You're likely to get a formal update to fix this before anyone ever gets infected.

Check the air in your tires, that's a bigger actual threat right now today.

 

[El Presidente]

Sigh, Verizon won't be bothered with this stuff....
there just isn't any money in it for them to do so.

http://www.androidpolice.com/2015/0...-galaxy-note-edge-build-lrx22c-n915vvru2bog5/

They might do ok!

Spoiler

Granted, this is just one device, but Verizon are the first network I've heard to roll out a stagefright fix since the debacle kicked off.

 

[AZgl1500]

http://www.androidpolice.com/2015/0...-galaxy-note-edge-build-lrx22c-n915vvru2bog5/

They might do ok!

Spoiler

Granted, this is just one device, but Verizon are the first network I've heard to roll out a stagefright fix since the debacle kicked off.

Well, never say die until it is proven I guess...
Will be curious to see how many Verizon phones they actually try to update.
Hopefully they will flush out all of the Lollipop versions first, and then start working backwards.
Peer Pressure is what did it though, it is not from the generosity of their own little hearts.

Meanwhile, I need to go check the tire pressures on my Goldwing, I want to take a ride tonight when it cools off a bit.

 

[EarlyMon]

http://www.androidpolice.com/2015/0...-galaxy-note-edge-build-lrx22c-n915vvru2bog5/

They might do ok!

Spoiler

Granted, this is just one device, but Verizon are the first network I've heard to roll out a stagefright fix since the debacle kicked off.

Sprint was first ftr.

http://phandroid.com/2015/08/05/nexus-galaxy-stagefright-update/

 

[Riotpump]

Times like this I'm more thankful than ever before for custom ROMs on my Nexus(and other)devices. No need to wait on an OTA update.

 

[EarlyMon]

Sprint HTC One M8 updated Stagefright today.

 

[Kaat72]

My Samsung tab S updated last night as well. Note 4 is still waiting.

 

[AZgl1500]

Verizon out did themselves tonight.

I was reading a book, my phone was "off" as in screen closed. DATA and WiFi were both OFF.
The phone buzzed and the screen lighted up, and there was a message there to update the phone now for a Security Issue.

uh, huh. Mother is going to force us regardless of what we want.... downloaded the file in the background, even though "DATA" was supposed to be OFF....

I now bow to the "all knowing greatest power of them all" and accepted my fate, and clicked on Update Now.... might as well get it over with...

Took 10 minutes, so far, nothing is different...

wonder if I beat Ironass to knowing about this one; and that you cannot refuse it....

____________________________________
2 ea. Verizon Galaxy S5, Lollipop

 

[EarlyMon]

I'm with Verizon, and the chance of me seeing an upgrade is just about zilch.
Yea VZW, never to our rescue...
if only, somewhere in their pea brain, they would quit messing with the Google code and leave it alone.

So - Verizon pushes out the Google code courtesy of Samsung, fixes the issue, and comes to the rescue.

Opposite of your previous complaint. I'd have wanted to say congratulations.

Now you want to complain about how Verizon forces you to take an update you don't want?

Yeah, so this is the Stagefright vulnerability thread, thanks for the info, probably others on Verizon who are concerned about it will be glad for the news.

 

[EarlyMon]

Anyway - what if the fix is wrong?

http://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/

That's what happens when security is driven by the media.

 

[AZgl1500]

So - Verizon pushes out the Google code courtesy of Samsung, fixes the issue, and comes to the rescue.

Opposite of your previous complaint. I'd have wanted to say congratulations.

Now you want to complain about how Verizon forces you to take an update you don't want?

Yeah, so this is the Stagefright vulnerability thread, thanks for the info, probably others on Verizon who are concerned about it will be glad for the news.

Wasn't complaining, just noting that VZW can ignore the DATA off if they want to.
Will the "fix" really take care of the issue? dunno, and I likely would never have been subjected to it in the first place. My contacts are only with folks I know, and I don't go surfing on the internet with my phone, just too small and tiny a screen to be useful for that.

50 years ago, I would have been able to see those tiny fonts, I used to solder kevlar insulated #30 gauge wires w/o the aid of glasses. Now, that size wire is totally invisible, much less me working with it.

 

[mtRoom]

Someone may have mentioned it already, but which version of Android has the applied patch?

 

[El Presidente]

It varies by device.

The patch is just a single line of code by all accounts so is relatively easy to apply to any device.

https://android-review.googlesource.com/#/c/166750/

 

[electricpete]

Well if you're not patched yet, time is running out.
The exploit has been released to everyone:
Android Stagefright Exploit Released to the Public

 

[electricpete]

I haven't followed this whole thing closely. There is a carrier patch for my phone, but it's not the easiest for me to apply (Samsung / AT&T don't make it particularly easy for rooted users to update).

Does updating to a patched SMS client protect us from Stagefright* vulnerability?
Or is it necessary to implement the carrier OS security update?

(* I realize in general there may be other security improvements in these updates, but as far as I've heard the AT&T S4 update from my I337UCUFNJ4 to new I337UCUFNJ5 only fixes stagefright)

 

[electricpete]

electricpete wrote:
Does updating to a patched SMS client protect us from Stagefright* vulnerability?
Or is it necessary to implement the carrier OS security update?

I think I answered my own question. Patched MMS client helps, but is not the best protection available
http://www.zdnet.com/article/google-android-stagefright-flaw-exploit-code-released/

zdnet:
Some of the fixes issued to combat Stagefright were only temporary measures to reduce levels of risk. For example, new versions of Google Hangouts and Messenger have been released which block the automatic acceptance of multimedia content sent via MMS -- which blocks one of the worst Stagefright attacks -- but not others

 

[El Presidente]

Apparently you can get it via the web & other vectors too.

A patched SMS app and Firefox are good starts according to the article.

Edit - I see you've found the same bit as me.

I don't understand the title of the article though

"Android Stagefright Exploit Released to the Public"

It doesn't mention anything being released anywhere. Also, the exploit has been known for a month or so now. :\