Report: Stagefright patch doesn't fix 950 million vulnerable devices

The patch for Android's Stagefright vulnerability won't actually protect your phone, some security researchers say. According to Jordan Gruskovnjak and Aaron Portnoy of Exodus Intelligence, a malformed MP4 file can still create a buffer overflow, a vulnerability that could then be used to compromise 950 million Android phones.

The Exodus blog post walks through the vulnerability. A function in libStagefright reads two values from an MP4 file's header, chunk_size and chunk_type, as 32-bit integers. If the header returns a value of 0x01 for chunk_size, then a 64-bit value is read from the MP4 instead. According to ...

Read more...