1. PretoEvo's Avatar
    Does anyone know if either of the recent sw updates include the patch for the new Stagefright vulnerability?
    07-27-2015 04:16 PM
  2. AMTrombley0924's Avatar
    I don't even think Google knows at this point...

    What'll probably end up happening is each OEM will announce either that they have patched some of their phones and list them, or that they will soon. Recent articles say that Google had implemented the suggested changes so it sounds to me like the buck is at the OEM level at this point

    Sent via my DROID Turbo via Mr. Universe's Signal...because you can't stop the signal!
    07-29-2015 12:06 AM
  3. doogald's Avatar
    Recent articles also say that Google is readying an update for Nexus devices, so they haven't even implemented the update themselves. So, I kind of doubt the Turbo is patched.

    Google Promises A Stagefright Security Update For Nexus Devices Starting Next Week

    It does seem that using Hangouts as your messaging app is a bad idea, but there hasn't been much news about other messaging apps (Verizon's, Google Messenger, Textra, Handcent, Chomp, Go, etc.). Oh, and we also know that we'll be finding out more about this next week at Black Hat, so hopefully there will be more details coming.

    This really is Android's achilles heel - a security exploit that cannot be patched by Google Play Services. Maybe Google can patch something that looks for this exploit and deletes attachments as they are received. I guess we'll see.
    07-29-2015 04:31 AM
  4. gokart186's Avatar
    Textra issued a patch over the weekend for stagefright, so at least theres that.
    jpdaballa likes this.
    08-03-2015 10:49 AM
  5. doogald's Avatar
    I'm beginning to wonder if stagefright is a big issue for the turbo. They mention getting root access, but the turbo write protects the system partition, so I'd think that any exploit would be lost when you restart the phone. I guess we'll know for sure pretty soon.

    If it is a big problem, it could be good news for people who want to root the phone; it could be the exploit you'd need to get root.
    08-04-2015 05:13 AM
  6. Einsteindks's Avatar
    As I understand it, ALL texting apps are affected when an MMS message comes in. Best option for now is to turn off auto-retreve MMS texts, and delete the ones you don't recognize, only giving the OK to ones you know. A little inconvenience is all.
    08-04-2015 09:21 AM
  7. doogald's Avatar
    As I understand it, ALL texting apps are affected when an MMS message comes in. Best option for now is to turn off auto-retreve MMS texts, and delete the ones you don't recognize, only giving the OK to ones you know. A little inconvenience is all.
    Here's the thing about turning off media retrieval - at this point you're fine either way, because nobody outside of Zimperium and Google knows what the exploit is. But Zimperium is supposed to be providing proof of concept code shortly so everyone will find out how to exploit it. Once they do that, how do you know whether to retrieve an MMS message from somebody? If the malware has infected the phone of somebody you know, the malware could conceivably take a photo or video in the gallery on the phone, embed the malware, and then MMS it to you (which will be found in the list of contacts) without your friend even knowing. When you receive the message, how will you know whether it is benign or infected? Once you download it, it could be an exploit.

    (By the way, Verizon never said what the mystery OTA that came out after Lollipop was. Maybe it included a patch to this?)

    So, again I say, we really don't know whether this exploit can really do bad things on a Turbo yet. It's probably smart to be careful, but so far the publishers of this exploit say that they know of no examples of this happening yet beyond their research. We should know this week, though.

    [edit] The presentation is Friday, but they are not releasing the code until August 24. See http://blog.zimperium.com/experts-fo...rt-of-android/
    Einsteindks likes this.
    08-04-2015 10:10 AM
  8. emock81's Avatar
    From the Motorola forums:
    https://forums.motorola.com/posts/05618afc2d

    After Google informed us in late June, we've been working to integrate, test and deploy the patches. All of our newly launched products (Moto X Style, Moto X Play, and Moto G 3rd Gen) will have the patch integrated in the software. We'll include it in the remaining planned Lollipop upgrades as soon as possible. We’re working with our partners to update phones that have already received the Lollipop upgrade. We are still working through the feasibility to support older devices that are not getting Lollipop. We don't have any timing for individual device updates right now.

    We are not aware of any known or reported incidents of anyone attempting to take advantage of this possibility to harm Android phone owners. However, there are steps you should take to protect yourself until the patch is available.

    First, only accept multimedia content (such as attachments or anything that needs to be decoded to view it) from people you know and trust. Second, you can disable your phone’s capability to download MMS automatically. That way you can only choose to download from trusted sources.

    Here are the steps to auto-disable download for some common messaging apps:

    Messaging: go to Settings. Uncheck “Auto-retrieve MMS.”
    Hangouts (if enabled for SMS; if greyed-out, no need to take action): go to Settings > SMS. Uncheck auto retrieve MMS.
    Verizon Message+: go to Settings > Advanced settings. Uncheck Auto-retrieve. Uncheck “Enable weblink preview.”
    Whatsapp Messenger: go to Settings > Chat settings > Media auto-download. Disable all video auto downloads under “When using mobile data,” “When connected on Wi-Fi” and “When roaming.”
    Handcent Next SMS: go to settings>Receive message settings. Disable auto retrieve.
    Also someone made a really good point. This has been around since Android 2.2. If you haven't been exploited yet, then the chances are still pretty slim.
    doogald likes this.
    08-04-2015 07:13 PM
  9. doogald's Avatar
    Also someone made a really good point. This has been around since Android 2.2. If you haven't been exploited yet, then the chances are still pretty slim.
    Pretty slim until the details of the exploits are released. Then it's not so slim anymore.

    (The exploits go back to froyo but were just recently discovered. This happens with Windows a lot, too.)
    Davidoo likes this.
    08-04-2015 07:34 PM

Similar Threads

  1. How do I connect external drives for music?
    By wburkett in forum Samsung Galaxy Note 4
    Replies: 0
    Last Post: 07-27-2015, 03:45 PM
  2. Replies: 0
    Last Post: 07-27-2015, 03:03 PM
LINK TO POST COPIED TO CLIPBOARD