Google’s Android Stagefright Security Patch Is Flawed, Says Researcher

Android’s Stagefright vulnerability has received its share of concerns and patch releaseannouncements from various Android OEM manufacturers, including a new monthly security update cycle. The problem however seems to still be around even after Google released a patch this month for its Nexus devices that was claimed to fix the Stagefright bug.

Jordan Gruskovnjak, a security researcher from Exodus Intelligence has discovered ‘severe’ problems with patch rolling out to Nexus devices. Jordan also claimed that the Stagefright Detector app released by Zimperium (the company that reported the issue initially) is unable to detect the flaw that remains after the patch, which just contains four lines of code.

“Despite our notification (and their confirmation), Google is still currently distributing the faulty patch to Android devices via OTA updates,” notes Exodus Intelligence.

To recall, Stagefright is an open source media player and which is believed to be used on about 95 percent of Android devices, an estimated 950 million users. The vulnerability, if exploited, can let attackers take control of an Android device by sending a specially crafted media file delivered by an MMS message.

“Along with the initial bug report, a set of patches to stagefright flaws were supplied and accepted by Google. One of these patches, addressing CVE-2015-3824 (aka Google Stagefright ‘tx3g’ MP4 Atom Integer Overflow) was quite simple, consisting of merely 4 lines of changed code,” notes Exodus Intelligence official blog.

Jordan tested out a Nexus 5 with an updated firmware flashed to it and was greeted with a crash upon testing. He was able to test the flaw through a specially-crafted mp4 file that bypassed the patch.

The security research company says that it notified Google, and was told the Mountain View company has allocated the CVE identifier CVE-2015-3864 to its report. The company claims that it had to make the issue public with their findings to notify everybody about the issue.

Google confirmed the findings to The Verge, and added that a second patch was already being pushed out. “We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update,” said Google in a statement.

The company however did not comment when non-Nexus devices can expect to receive the patch.

Last week, Google and Samsung announced they will offer a monthly security patch to their devices. LG and Motorola also joined to reveal Stagefright vulnerability patches.

Microsoft Improving Touch Mode in Windows 10, Leaked Build Tips

windows_10_build_100564_the_verge_touch_mode.jpg

Microsoft appears set to be revamping the Windows 10 touch mode, which was introduced alongside the Continuum feature for hybrid devices with the January Technical Preview , as per a new leaked build.

Build 10056 of the Windows 10 Technical Preview for desktops, laptops and tablets surfaced on the Web last week showcasing several touch-friendly improvements and upgrades in Windows 10. The Verge, which got hold of the leaked build, notes that the tablet mode now removes all the apps from task bar, leaving users with access to the Start Screen, virtual desktops, and the Cortana voice-based digital assistant only.

The new UI is said to be similar to the touch version of Windows 8.1 OS. However, the Charms bar has now been replaced with a notification centre with easy access to settings and notification. The build also shows recent apps when swiped on screen from left, while giving a full screen view of the Live Tiles and apps when accessing the Start Screen. Also, a new animation has been introduced for the Start Screen, which overlays on the desktop wallpaper.

The apps when launched take up the entire screen without congesting the taskbar. Some of the other changes mentioned in the leaked Microsoft Windows 10 build are black notifications centre, dark-themed UI elements, a new Recycle Bin, resizing of Start Menu and switch transparency on/off, as well as options to change the colour of the UI. Microsoft is yet to officially roll out the build to Windows Insider testers.

Over the weekend, Microsoft rolled out the second build (10051) of the Windows 10Technical Preview for phones. The highlight of the build is the inclusion of an early version of Microsoft’s Spartan browser for phones, along with a number of other features.