This one is hella important, folks! Yes, I did just wanna say “hella”. I wrote about the Stagefright vulnerability last week, but for the sake of sparing you having to click that link here’s what I previously wrote on it.
So about that vulnerability that was announced yesterday...
First off, ignore the Gizmodo post on it. As well as the NPR post on it, which has to have been the single worst written tech post I’ve ever seen in my entire life. (Seriously, NPR. That thing was awful. Hire a goddamn tech writer who knows their stuff because it was just a goddamn mess and tough for even those of us who are familiar with this kinda stuff to read and make sense of. It was that bad.)
So what is the vulnerability? Well, contrary to some seriously misinformed authors and articles, it isn’t “limited to Hangouts or MMS apps”. It affects the majority of Android devices, plus Firefox on everything but Linux.
The vulnerability itself comes via “Stagefright”, an Android code library that processes several widely used media formats. Or put another way, this is an issue that can be found in AOSP, aka the Android source code. That’s a big issue, folks. One that is being greatly misreported. An AOSP bug/exploit/vulnerability is absolutely the worst kind. Until it’s patched and an OTA update that includes a patch rolls out it’s the kind of things that leaves everyone vulnerable.
And my mention of Firefox? Yeah, it affects it too for everything but Firefox on Linux (which means it also affects Firefox OS).
Now, in regards to the MMS nonsense from yesterday: That’s one possible vector of attack, but also the worst case scenario route. There’s no proof yet that any such attack/scenario has taken place. It was just posited as being possible.
So who’s affected by this vulnerability? Pretty much everyone. Anyone running Andorid 2.2+ is vulnerable. In point of fact, even the Nexus 6 was vulnerable until a recent update fixed the issue. But anyone on an Android version between 2.2 - 4.3 is especially vulnerable. They in particular lacked some of the recent exploit mitigations.
How can this be fixed? Like I said, via a patch of the AOSP code and from there an over-the-air (OTA) update. Basically, it’s up to your device’s respective manufacturers to roll out the update. If you have a carrier device then that adds another link in the chain on who needs to roll out the update you sorely need.
Beyond that there’s nothing you can do short of waiting for that update to hit your device. Well, that and tweet your respective OEMs and carriers and mention the Stagefright vulnerability and ask them when they are going to issue an OTA update to fix it. Not even joking about that either, they won’t get on this until you make them aware that you’re aware of the issue, that it’s been patched by Google, and now it’s on them to put out an OTA update to fix things. Otherwise, they could not care less.
A few devices have received the update to patch the vulnerability already. Or will be soon. All Nexus devices have begun to receive the update, if you haven’t received it yet just know that it’s coming soon. Google does things in staged roll outs, but you should be getting it before the end of the weekend if all goes well. Additionally the following devices should also expect the patched OTA to hit them soon.
Sprint will soon be releasing the OTA patch to the following devices: S6, S6 Edge, S5, and Note Edge.
AT&T will be doing similar to the following devices: S6 Active, S5, S5 Active, and Note 4.
All other affected devices will have to wait for a patch to be sent out.
If you want to see if your device is affected by the vulnerability please install the Stagefright Detector App. Assuming your device is vulnerable, and most will be, it’s pretty much a waiting game at that point. Which is why I can’t state enough that people need to bitch at their carriers and device manufacturers when it comes to things like this. The carriers in particular don’t care and are the worst offender when it comes to why updates are held up or never made available for any given device. So if your device is vulnerable hit them up on Twitter. Create a hashtag for it (don’t ask me for an idea on what it could be because I’m just gonna default to “#thisiswhycarrierssuck cause they hold up updates for major vulnerabilities”).