Google issued another patch for the Stagefright vulnerability after realizing the first one didn’t seal the deal.
Millions of Android devices are vulnerable to Stagefright where it can end up compromised through a specially crafted multimedia message (MMS), so an attacker needs only the victim’s phone number.
Joshua Drake at mobile security firm Zimperium discovered the issue and submitted a set of patches along with its big report. Google released its first patch for Stagefright last week.
But a researcher with another security firm, Exodus Intelligence, discovered a flaw in the patch intended to fix Stagefright. He crafted a malicious MP4 file that could bypass the fix. Exodus notified Google Aug. 7 but didn’t get a response and decided to make the information public, Aaron Portnoy, an Exodus vice president, said in a blog post.
Google understands the issue and has now assigned it as CVE-2015-3864.
In a statement Thursday, Google said it had sent its latest fix to its partners. Devices in its Nexus line, including the Nexus 4, 5, 6, 7, 9, 10 and the Nexus Player, will receive an over-the-air update as part of the company’s monthly patch update for September.
Google said at the Black Hat security conference earlier this month it would issue monthly security patches for Android devices after Stagefright exposed millions of devices to attack. Major vendors such as Microsoft, Adobe Systems and Oracle have for years released security fixes on a regular schedule.
But the problem with mobile devices is that operators play a key role in distributing patches. While for the last three years Google has sent patches to mobile operators, it was up to those companies to send the patches to users. That process happened slowly if at all.
Major Android manufacturers including Samsung and LG have also committed to working with carrier partners to distribute monthly patches.