Not even Google’s patch can stop a vulnerability that gives the StageFright bug is still alive and kicking despite a recent update to remedy the vulnerability. The ball doesn’t stop rolling there, MWR Labs research team found another flaw which could render the Android security sandbox defenseless.
“The first involves the update Google released last week fixing a flaw that allowed attackers to execute malicious code on an estimated 950 million phones with nothing more than a maliciously crafted text message,” reported Arstechnica on the the StageFright flaw.
A four line code was the patch that Google reviewed and released according to Jordan Gruskovnjak and Aaron Portnoy, researchers with security firm Exodus Intelligence, as they stated in their blog post.
“Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period,” the Exodus researchers wrote, addressing the StageFright vulnerability.
“If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?”
While Google is still trying to find a permanent solution for the StageFright bug, the MWR Labs security researchers found yet another Android flaw.
“Separately, researchers from security firm MWR Labs disclosed a flaw that allows malicious apps to break out of the Android security sandbox,” according to Arstechnica.
“The sandbox is a key Android defense that isolates passwords and other sensitive data belonging to one app from being accessed by any other app installed on a handset. The bug, which resides in the Android Admin application at com.google.android.apps.enterprise.cpanel, allowed other applications on the device to bypass those restrictions to read arbitrary files through the use of symbolic links.”
Google shall eventually fix the flaws because of their large team of professionals. Though, Gruskovnjak and Portnoy are worried about the speed in which Google is doing so and how many could be at risk right now.
Read the full story.