It's been 10 days since Zimperium's Joshua Drake revealed a new Android vulnerability called Stagefright — and Android is just starting to recover. The bug allows an attacker to remotely execute code through a phony multimedia text message, in many cases without the user even seeing the message itself. Google has had months to write a patch and already had one ready when the bug was announced, but as expected, getting the patch through manufacturers and carriers was complicated and difficult.
But then, something unexpected happened: the much-maligned Android update system started to work. Samsung, HTC, LG, Sony and Android One have already announced pending patches for the bug, along with a device-specific patch for the Alcatel Idol 3. In Samsung's case, the shift has kicked off an aggressive new security policy that will deploy patches month by month, an example that's expected to inspire other manufacturers to follow suit. Google has announced a similar program for its own Nexus phones. Stagefright seems to have scared manufacturers and carriers into action, and as it turns out, this fragmented ecosystem still has lots of ways to protect itself.
"The early reports triggered a very, very strong response."
It's still early, and most devices won't receive the patch until later this month, but Android security head Adrian Ludwig is optimistic that most Android users will be protected by existing mitigation systems, and expects patches to be deployed before attackers can break through. "The early reports triggered a very, very strong response," Ludwig told The Verge. "The OEMs are now really understanding and the ecosystem is really understanding how to react more quickly, because we all see that it's necessary."
At the same time, the wave of negative publicity around Stagefright seems to have spurred manufacturers into action. Samsung's VP of partner solutions Rick Segal says the move to rolling updates has been in the works at Samsung for six months. Enterprise customers have long lobbied for better security on the devices, and when a vulnerability in Samsung's Swiftkey keyboard was discovered earlier this summer, the company was impressed by the positive customer response to the quick patch. The widespread public alarm over Stagefright was enough to tip the scales on the new feature. "Really, it's the right thing to do," Segal told The Verge, "and you're not going to see any pushback from carriers or partners or anything because everybody knows it's the right thing to do."
That still doesn't mean patches will be immediate, but it means they'll arrive in weeks instead of months, giving attackers less and less time to exploit newly discovered bugs. At the same time, Android mitigation efforts are making vulnerabilities harder and harder to exploit. Even in its current form, Stagefright has had trouble getting around Android's Address Space Layout Randomization protections (commonly known as ASLR). The bug can still be used to trigger unauthorized code — a troubling result under any circumstances — but ASLR system has made it difficult to reliably run any specific piece of code across a range of devices, a difficulty acknowledged by Drake himself.
Hey guys! Instead of redoing/reproducing my work, why don't you see if you can bypass ASLR via Stagefright!— Joshua J. Drake (@jduck) August 3, 2015
At its core, Stagefright works by corrupting a system's memory to change a program's control counter, the system that determines the next line of code to be executed. In broad strokes, corrupting that counter allows an attacker to smuggle code into queue to be executed, but exploiting that power consistently requires a good map of where the different system operations live. ASLR scrambles that map, leaving attackers with no reliable sense of where to find the code they want to smuggle into the queue.
That's particularly important since the initial demonstrations of Stagefright exploits stopped at the point of code execution. Once Drake was able to corrupt the control counter, the seriousness of the bug was established. There may still be a reliable way around the system — we'll have to wait for Drake's presentation later today to find out if he has one — but it's a serious problem for attackers coming at the vulnerability cold. "Nobody thinks these measures are perfect," Ludwig said, "but they definitely buy time while manufacturers get patches out."
Any program that preloads video is potentially at risk
In the meantime, the best mitigation for users is still to turn off the "automatically retrieve MMS" setting in settings, but that fix is also being attacked from a number of different angles. Google has promised a fix in an update to the Hangouts app next week, but some carriers have already taken the fix into their own hands. The German carrier Telekom has responded by shutting down all automatic delivery of Android MMS messages earlier today, requiring a manual download triggered by the user.
Unfortunately, MMS isn't the only way to exploit Stagefright, so users won't be entirely protected until the problem is fixed at the OS level. Researchers have already shown ways to exploit the vulnerability from a URL or even within an application, although in each case, the user has to manually retrieve the media for the patch to work, so the attack isn't considered as dangerous as the texting vulnerability. Still, it underscores the importance of the patch itself, even as mitigation efforts buy time against attackers.
The biggest question now is how many manufacturers will come along for the ride, and if any devices will be left behind by the new patching system. The first wave of Samsung patches didn't include the Galaxy S3 or S4, although they're among the most popular Android devices currently in use, and Samsung has announced its intention to patch the devices later in the month. At the same time, manufacturers like Huawei and Asus have yet to make a public statement on when a patch will be available.
8/5 8:33PM ET: Updated to include Samsung's projected update plans for the Galaxy S3 and S4.