While the patches have been applied, it may be years until they reach all devices. We provided these patches to carriers and vendors through Zimperium Handset Alliance (ZHA). Zimperium zLabs expert and VP of Platform Research and Exploitation, Joshua Drake discovered multiple critical vulnerabilities in Stagefright library and provided patches to Google to secure Android. Stagefright Detector App for Android Devices Making the code available to the general public lets "security teams, administrators, and penetration testers alike.test whether or not systems remain vulnerable," Zimperium said.Free Stagefright Detector APK Apps Latest Download For Android Last month, Zimperium published details about the initial Stagefright exploit. "Many researchers in the community have said Google has replied to their reported bugs saying that they were duplicate or already discovered internally." "As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area," Zimperium wrote. Meanwhile, the company warned that this isn't the last you'll hear of Stagefright. "We encourage vendors to update their Android devices to incorporate the fix as soon as possible," Zimperium wrote. The security firm said it won't share a proof-of-concept exploit with the general public, but will update its Stagefright Detector app to identify the flaw once Google issues a patch. 15, and they "responded quickly and moved to remediate," though a patch is not yet available. Zimperium said it notified Google's Android Security Team about the issue on Aug. The flaw would most likely be exploited via the Web browser after an attacker convinced an unsuspecting user to visit a malicious URL, such as a mobile spear phishing site or malicious ad campaign. The bug apparently lies in the way metadata within files is processed, "so merely previewing the song or video would trigger the issue." The researchers found ways to exploit the flaw in devices running Android 5.0 and later, but said older devices may be impacted as well via third-party apps like media players and instant messengers that are using the vulnerable library, or other carrier functionality pre-loaded onto the device. Together, the two bugs can allow an attacker to execute arbitrary code on an affected device via specially crafted MP3 or MP4 files.
The first vulnerability of the two impacts nearly every single Android device since version 1.0, released in 2008, the researchers said. "Meet Stagefight 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files," mobile security firm Zimperium wrote in a blog post.
0 kommentar(er)
