​Google patches Stagefright 2.0 in Nexus, fixes land in 'nightly' CyanogenMod builds

While most Android owners could be waiting weeks or months for Google's latest Stagefright fixes, CyanogenMod has them ready to go now.
Written by Liam Tung, Contributing Writer

New bug puts Android devices at risk of attack.
Image: iStock
In tandem with the release of Android Marshmallow 6.0 for Nexus phones, Google has also delivered a critical security update for Nexus devices vulnerable to the latest Stagefright bugs.

Revealed last Friday, Stagefright 2.0, like its predecessor, has left virtually every Android device in the wild exposed to a dangerous attack on the operating system's media player engine, which can be triggered after receiving a malicious MP3 or MP4 media file.

Joshua Drake, of mobile security firm Zimperium, reported the new Stagefright bugs to Google in mid-August and the Android Security Team has released fixes for the issues in its October monthly security update.

Google said it notified Open Handset Alliance partners about Stagefright 2.0 on September 10 or earlier and would release source-code patches for these issues to the Android Open Source Project (AOSP) repository.

The Stagefright 2.0 bugs fixed in this update affected libutils in all versions of Android from Lollipop 5.1.1 down to Android 1.0, while another fixed flaw affected the same libstagefright component that was exploited by Stagefright 1.0. The second flaw was limited to Android 5.0 and higher.

The update contains a total of five critical fixes covering more than a dozen individual flaws, as well as five high-severity privilege escalation issues affecting libFLAC, KeyStore, Media Player Framework, Android Run time, Mediaserver, and Secure Element Evaluation Kit. There are also several more moderate and low severity fixes in the update.

Google had already addressed a weakness that made Stagefright dangerous by updating Hangouts and Messenger applications to not automatically pass media to vulnerable processes like mediaserver.

Even since Stagefright's disclosure, the Android maker has maintained that the OS's address space layout randomisation (ASLR) would have thwarted actual attacks on devices. However, last month its own security researchers at Project Zero revealed this security feature could in fact be bypassed.

Nonetheless, the severity of Stagefright spooked Google into committing to monthly security updates for its Nexus 4, 5, 6, 7 and 9 devices, which began in August.

Samsung and LG vowed to follow suit with monthly security updates of their own. But president of HTC America, Jason Mackenzie, has cast doubt on the viability of those commitments, noting on the weekend that it would be "unrealistic" for any vendor to guarantee monthly security updates when patches are often held back by carrier testing.

"Sometimes you won't receive due to lack of space in their labs. They only handle so many projects at once," Mackenzie explained to a developer on Twitter.

Carrier across the globe were quick to deliver Stagefright fixes soon after the bug was revealed, yet despite the promise of monthly updates, carrier-certified versions of LG, Samsung, and HTC devices are still waiting to receive Stagefright fixes.

According to support pages of Australian carrier Telstra, the Stagefright fix for HTC's One M8 has been retracted due to an issue with the over-the-air firmware package, while updates for Samsung's Galaxy S5 has been approved but are still waiting to be deployed.

Patches for LG's G4 were "deploying" in late September. Dozens of other mid-range and flagship devices have not received fixes yet either.

Google's Nexus devices are another matter, and device owners should be getting an over-the-air update in the next few days. Alternatively, they can get the builds from Google's developer site.

"Builds LMY48T or later - such as LMY48W - and Android M with Security Patch Level of October 1, 2015 or later address these issues," Google notes in the bulletin.

Given the update delays to carrier-certified Android devices, if Stagefright comes under a serious attack, it could make rooting a handset and installing CyanogenMod a more secure option.

Cyanogen developers announced yesterday that Google's security release had hit AOSP code and has now been merged in CM 12.1 source. CM 12.1 nightly builds for over 50 devices now already contain Google's October security fixes, the developers noted.

Read more about Android

Editorial standards