Stagefright. What’s so scary?

What is it?

The first Stagefright vulnerabilities cropped up after a mobile security research group, Zimperium, looked very closely at the libraries used to manage incoming MMS messages in the Android operating system. The vulnerabilities were found with the libStageFright library (hence the name).

The vulnerabilities allow a malicious entity to send a specially crafted MMS message to a target Android phone and have it run code to take over the phone.

Who’s affected?

An estimated 950 million Android phones, since Android 2.2, were vulnerable to the first Stagefright vulnerabilities; Google has since used the patches supplied by Zimperium to fix the problem and supply them to mobile phone carriers to update the units under their control.

Is there anything else?

Yes; one of the patches supplied to Google to fix the initial vulnerabilities is in fact vulnerable itself, this change in the patch file 0006-Fix-integer-overflow-during-MP4-atom-processing.patch:

+    if (SIZE_MAX / sizeof(SampleToChunkEntry) <= mNumSampleToChunkOffsets)
+        return ERROR_OUT_OF_RANGE;
+

has been proven by other security researchers to be vulnerable to the same original tactics used. Some have suggested it should actually be:

+           if (SIZE_MAX - chunk_size <= size)
+               return ERROR_MALFORMED;
+