back to article Botched Google Stagefright fix won't be resolved until September

According to security company Rapid7, Google needs to rethink how it patches Android in the wake of initial botched attempts to resolve the Stagefright vulnerability. The criticism comes as Google itself confirmed users of its Nexus devices – who are the first to get security fixes – won't be fully protected until September. …

  1. Paul Shirley

    standard Google behaviour, only hearing the echoes

    Google has a long and disgraceful history of simply ignoring contact from outsiders, it really shouldn't surprise anyone that even critical bug reports get little or no response. They seem to have passed Microsoft now in doing whatever they want without caring how or who it affects.

    1. Bob Vistakin
      Facepalm

      Re: standard Google behaviour, only hearing the echoes

      But September?

      Marshmallow is out in October!

    2. Anonymous Coward
      Anonymous Coward

      Re: standard Google behaviour, only hearing the echoes

      Why? All my devices are patched with the big issue, by xperia and my nexus. This new edge vase is very very minor and its routine to wait until next month.

      Apple, Microsoft do exactly the same..

      My suspicion is your beef is with a phone manufacturer or carrier, neither of that is Google's problem

      1. Anonymous Coward
        Anonymous Coward

        Re: standard Google behaviour, only hearing the echoes

        "Why? All my devices are patched with the big issue,"

        No, you're wrong, those patches are not out yet. Did you even *read* the article?

    3. Fred Flintstone Gold badge

      Re: standard Google behaviour, only hearing the echoes

      Google has a long and disgraceful history of simply ignoring contact from outsiders, it really shouldn't surprise anyone that even critical bug reports get little or no response. They seem to have passed Microsoft now in doing whatever they want without caring how or who it affects.

      Hmm, I think I'd give them the benefit of the doubt here, for 2 reasons:

      - it is abundantly clear that the current structure of Android makes it stupendously complex to create patches that reach back a few generations because that also involves 3rd parties such as phone providers for the modem code etc. My hope is thus that their patch will include a move towards a more layered model where there are not so many dependencies to address between the various parties.

      - they botched one patch already, which at least means that they're working on it, but also that the problem is a more complex to fix than originally thought. I don't think we ever had a bug that affected so many devices at once (evil thought: it could be interesting to see if this could be memorialised in the Guinness Book of Records :) ), so I suspect they're quite aware of the seriousness of the matter. I rather have them do a decent job in a bit more time than go through another botch job as it'll be less disruptive for everyone.

      That being said, if they don't deliver after that delay I suspect it will not be good news for Android.

      1. bazza Silver badge

        Re: standard Google behaviour, only hearing the echoes

        "- it is abundantly clear that the current structure of Android makes it stupendously complex to create patches that reach back a few generations because that also involves 3rd parties such as phone providers for the modem code etc. My hope is thus that their patch will include a move towards a more layered model where there are not so many dependencies to address between the various parties."

        It was abudantly clear from the moment Android launched in 2008. Literally every other major operating system back then already had online automatic updating available and was well esablished. Even Google's Chrome web browser had an update feature all the way back then.

        It suggests that back then Google treated Android as some sort of toy, not really taking it seriously. They created an enourmous security problem for themselves and their users. Not very bright these Google engineers and businessmen; any ecosystem, including Android, is always one major security incident away from being dropped by its users like a hot potato. Where would Google's mobile search revenue be then?

        Commercially speaking they handled Android pretty badly too. By making it possible for the Chinese manufacturers to take Android, de-Googlise it and make it their own there's a billion strong market that Google are missing out on. And they run the same risk too in India. If their intention was to make a platform to attract users to Google's ad ladden services, making that platform hijackable by other manufacturers / service providers seems like stupid idea...

        Sure, as far as Google's shareholders are concerned Android has been terrific. However, it's nothing like as terrific as it might have been had they found a way to have full control over Android. Fortunately for Google shareholders mostly care about relative performance, and there MS have obliged by being woeful... That's very fortunate for Google for the following reason.

        MS's basic model is a standardised hardware architecture that any manufacturer can make, allowing MS to push out standard binary blobs to all users for updates, etc. And that works, generally speaking. All Windows mobile phones get updates, just like Apple, BlackBerry, etc.

        Had MS done a better job of making WinPhone appealling and done so a lot earlier, MS may well have very quickly turned it into a big and enduring success.

        But they didn't. Google easily slotted into a good second place (profits-wise) behind Apple, meaning they could satisfy their shareholders. Being a poor third to Apple and MS would have lead to grumpy shareholders.

        1. Anonymous Coward
          Anonymous Coward

          Re: standard Google behaviour, only hearing the echoes

          "My hope is thus that their patch will include a move towards a more layered model "

          https://developer.android.com/training/articles/security-gms-provider.html

          Loads more examples, but you can Google them

  2. Anonymous Coward
    Anonymous Coward

    Looks like MS and Google are competing in more ways than one, who can deliver the crappiest updates and bjorked patches. However at least Google won't make you have the update.

    1. BillG
      Megaphone

      Looks like MS and Google are competing in more ways than one, who can deliver the crappiest updates and bjorked patches.

      You have to admit, MS has an OS that is made for patching directly though Windows Update, which works regardless of what software you have installed or how you have Windows configured.

      It looks like Android can't be patched, an entire updated OS needs to be installed, which may break your phone depending on if it's rooted, or if Xposed modules or BusyBox is installed. Android is not configured like that because of Google and the carriers desire for control of the handset.

      1. Preston Munchensonton

        You have to admit, MS has an OS that is made for patching directly though Windows Update, which works regardless of what software you have installed or how you have Windows configured.

        Yes, there are differences between the OS architecture of Windows and Android, but this is really not high praise for MS. There's plenty of times that Windows Update cannot or will not permit patching based on installed software, whether due to misconfiguration of underlying services or Group Policy restrictions on specific packages. None of which really matters, as users no longer have this control as of Windows 10.

        It looks like Android can't be patched, an entire updated OS needs to be installed, which may break your phone depending on if it's rooted, or if Xposed modules or BusyBox is installed. Android is not configured like that because of Google and the carriers desire for control of the handset.

        The issue has little to do with Google/carrier control and everything to do with the Android structure as a monolithic, appliance-like OS image. Cisco has had this issue in virtually all of their gear since the early 1990s (at least until fairly recently) and it's widely acknowledged that the monolithic structure introduces a low threshold for fixing one bug and causing another. The base Android OS can't be patched in that fashion as it stands, not because of "control" but through lack of insight.

        To fix the underlying structure of Android, Google will have a really big shift in their development, as stated by Rapid7. It's not unlikely to state that Google is nearly going to have to start from scratch in certain respects, which makes the lack of original insight even more frustrating.

        1. asdf

          >To fix the underlying structure of Android, Google will have a really big shift in their development, as stated by Rapid7. It's not unlikely to state that Google is nearly going to have to start from scratch in certain respects, which makes the lack of original insight even more frustrating.

          What's their motivation? They own most of the market already especially on the lower end (where they have very little competition in a lot of markets). They also don't make money directly off Android itself. Little surprise then they don't want to blow a billion (or at least hundreds of millions) to get this done ASAP.

      2. Dan 55 Silver badge

        All they need to do is have updates coming straight from Google OTA which are signed with a special certificate which has rights to remount /system as r/w and copy the new library or apk before rebooting.

        It wouldn't be suitable for major OS updates but it's needed to patch exploits like this which have the same problem in the same library.

        1. Anonymous Coward
          Anonymous Coward

          >All they need to do is have updates coming straight from Google OTA which are signed with a special certificate which has rights to remount /system as r/w and copy the new library or apk before rebooting.

          The problem with certificates has always been the companies allowed to create and maintain them.

          1. Dan 55 Silver badge

            It's Google's OS so Google's the CA. No problems there... well, no more than the usual problems with Google.

            They could even do it as a Play Store/Play Services update. They're just not trying.

            1. Anonymous Coward
              Anonymous Coward

              >It's Google's OS so Google's the CA. No problems there... well, no more than the usual problems with Google.

              Wonder if the handset makers and network operators might have something to say about that. Then again they might not know it but at least short term Google can dictate pretty much what they want.

    2. Anonymous Coward
      Anonymous Coward

      It's not borked, its incomplete, far better than Microsoft and apple, which churn out busted patches weekly at the moment

      1. Anonymous Coward
        Anonymous Coward

        Well yes, if your judgement is purely based on the number of shit patches then google win because they don't ship any.

        Posting stupid? Post anonymous.

  3. Anonymous Coward
    Anonymous Coward

    Hubris

    Something was bound to come along and reward Google's opportunistic, sorry, i mean saintly stance around Project Zero. It was the wrong blanket approach, applied liberally and seemingly maliciously.

    I'm surprised though that the embarrassment came quite as quickly as it has.

    Next time, remember fellas, "There but for the grace of God..." or maybe even "Don't be evil"?

    1. asdf

      Re: Hubris

      So the solution is for none of the major corporations to look for bugs (even in their own code)? Isn't there too much of that already? I am ok with companies doing it to embarrass other companies and projects if it gets them off their butt to protect end users. They all live in glasses house and everybody should be throwing rocks as much as they can.

      1. Captain Queeg

        Re: Hubris

        > So the solution is for none of the major corporations to look for bugs (even in their own code)?

        > Isn't there too much of that already?

        No, the answer is for Google et al to act responsibly - by all means hunt each other's bugs but don't then use them to indirectly threaten end users.

        We've seen the rumblings about Win10 and the fears of loss of test time and patch management, but that's exactly what Google were trying to force. I see few sys admins running Windiws estates who relish on the fly quick patching to timescales like the ones Google arbitrarily set and now seemingly can't deliver to in their own code bases. :-/

  4. phuzz Silver badge
    Thumb Up

    It was patched a couple of days ago in the Cyanogenmod nightlies.

    1. Anonymous Coward
      Anonymous Coward

      cool

      Because flashing every day and praying is great for a daily driver. Are they going to also fix it in the 4.4.x branch?

    2. Allan 1

      Unfortunately, installing cyanogenmod will completely invalidate my Samsung warranty on my S6

    3. S4qFBxkFFg
      Unhappy

      Irritatingly, the last nightly for my phone was back in 2013.

  5. Dan 55 Silver badge
    Devil

    No problem...

    Everything's perpetual beta down at the Chocolate Factory.

    Lollipop took away keyboard buttons making it confusing to use, contact groups making it impossible to organise them, and shuffled the names of mail clients about making them confusing too. Next version might change it all back again.

    That's all part of the fun of Google's development methodology. So it makes complete sense that the security fix is also beta.

  6. Alan Denman

    lying twa*?

    Re - "If malicious actors choose to exploit this set of vulnerabilities in the meantime, there seems to be nothing everyday users can do to defend themselves," Beardsley warned.

    I thought the simple mms setting of auto to off did the trick?

    If so ........

    1. Anonymous Coward
      Anonymous Coward

      Re: lying twa*?

      until you open the mms manually (forging sender or hijacking mms might be possible). Also wasn't there found a second exploit that there is no workaround for?

    2. sabroni Silver badge

      Re: lying twa*?

      No. The mms thing shuts down the attack vector from an unopened mms but doesn't fix the underlying vulnerability which is in android's video player.

  7. chasil

    This code is HORRIBLE.

    Consider three libraries:

    system/lib/libstagefright.so

    system/lib/libstagefright_soft_mpeg4dec.so

    system/lib/libstagefright_soft_mpeg4enc.so

    Would you not think that the MPEG4 functionality would be confined to the later two libraries, allowing easy removal?

    Not so.

    readelf -s libstagefright.so | egrep -i 'mpeg4|esds|sampletable'

    1562: 00083a59 26 FUNC GLOBAL DEFAULT 8 _ZN7android14MPEG4Extract

    1603: 000a6ded 50 FUNC GLOBAL DEFAULT 8 _ZNK7android11SampleTable

    1375: 0007f671 20 FUNC GLOBAL DEFAULT 8 _ZN7android4ESDSD2Ev

    Why would these functions not be isolated?

    Removing libstagefright.so puts my phone into a boot loop, even though I have set media.stagefright.enable-player=false in /system/build.prop

    Why do we have disable flags that don't work, container libraries that are leaking code, and no update agent?

    Who came up with this design?

    1. Anonymous Coward
      Anonymous Coward

      Re: This code is HORRIBLE.

      >Who came up with this design?

      Isn't it awesome %80 of the world uses it? I guess it is for NSA.

  8. tekHedd

    I thought I would be behind the times

    When I first started playing with third party ROMs, I thought I would be more vulnerable because I wasn't on the mainstream update system. After, what, more than a year running Dirty Unicorns, I have learned to expect the opposite.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like