At the Black Hat security conference this morning, Adrian Ludwig, Google's lead engineer for Android security, assuaged fears about the recent Android Stagefright vulnerability reported to affect nearly a billion Android devices.
The surge in interest in the Stagefright vulnerability was precipitated by the Black Hat security conference taking place in Las Vegas. It began when Joshua Drake security analyst with Zimperium who discovered the vulnerability tweeted about it to promote his Black Hat talk about his discovery, pointing to his place on the conference schedule. A few days after the tweet, Drake gave an interview about the Stagefright vulnerability to National Public Radio (NPR). It was subsequently reported in Forbes, Fortune and Wired, followed by a deluge of related stories across the tech blogosphere.
Drake had reported the vulnerability to Google in April. As Drake told NPR, "Within 48 hours I had an email [from Google] telling me that they had accepted all of the patches I sent them, which was great." Drake also confirmed Google's assessment, stating "[he] does not believe that hackers out in the wild are exploiting it."
Members of the computer security industry adhere to a policy of responsible disclosure under which the vulnerability is kept confidential to allow time for the software vendor to patch it. Industry members also have a social responsibility to disclose the vulnerability if he or she feels the risks are great or that the vendor hasn't promptly patched it.
According to Google's Ludwig, though and contrary to what was reported by other media outlets when news of Stagefright first broke 90 percent of Android devices are protected from buffer-overflow vulnerabilities with a technology called Address Space Layout Randomization (ASLR). Messenger, Google's SMS app that was reported as the means to exploit the Stagefright vulnerability, will be updated to mitigate the risk of injecting harmful code into a video.
Google also confirmed via email that the vulnerability "was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected."
Ludwig said that this fix and further safeguards will be pushed to all Nexus devices starting today and Google has already sent the fix to the company's partners. Ludwig said that many of the most popular Android devices will get the update in August.
Today's update marks the beginning of a regular monthly cycle of over the air (OTA) updates to Nexus devices that are purely focused on security to keep users safe. Google's partners will receive the corresponding source code updates each month for inclusion in similar OTA updates.
Buffer overflow what?
Sign up for Computerworld eNewsletters.