Android OEMS Samsung, LG and HTC all vowed to follow Google in delivering regular monthly security updates following the widespread Stagefright bug revealed in August, though to date none have delivered a September patch.
Interestingly, as noted in Google's Android issue tracker, the Android Security team initially rated the flaw Gordon found as a low severity bug, which didn't qualify for payment under Google's new Android security rewards program.
Gordon however convinced Google in July, a month after reporting the bug, that it warranted a higher severity rating.
"This is a local attack with no user interaction leading to user-level control of the device, essentially "local unprivileged code execution" and I would think it would rank at or just below "remote unprivileged code execution." I hope this rating can be re-evaluated with consideration for the type of attack and extent of device and user data compromise achieved," wrote Gordon.
Google later upgraded its severity to moderate and offered Gordon a $500 reward.
Source: CSO Australia
Sign up for Computerworld eNewsletters.