Google has been forced to reissue a patch for the notorious Stagefright vulnerability after the first one didn’t work, exposing over 900 million users.
Stagefright is actually a group of vulnerabilities which, if exploited, could allow an attacker to remotely control an Android device simply by sending a specially crafted MMS message.
It could also infect devices via a malicious app or MP4 and video files that auto-play when loading a website. After the video has played, attackers can bypass the disabling of auto-play videos in Chrome and gain complete control of the device.
At Black Hat last week, Google trumpeted the fact it was rolling out one of the largest ever security updates to fix the issue – affecting in the region of 950 million users.
However, despite the web giant being informed about the flaw back in April, it appears as if the initial patch it issued was faulty.
Exodus Intelligence claimed in a blog post that one of the patches sent to and accepted by Google could be bypassed by a specially-crafted MP4 file.
This is all the more embarrassing for Google given the original patch featured only four lines of code.
“In summary, the Stagefright disclosure process was an interesting one to observe. The (un)surprising outcome being that given all the exposure this vulnerability received combined with essentially infinite resources on the vendor side, effective security mitigations were still not deployed,” Exodus Intelligence noted.
“Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period.”
A Google statement seen by IDG claimed the firm has taken care of the issue and will update Nexus devices in an over-the-air fix as part of its monthly patch round in September.
The fix has also apparently been sent to Android handset partners.