Metaphor: New Stagefright Exploit Puts Millions of Android Devices at Risk… Again
In late July of 2015, a number of vulnerabilities were found on Android's libStageFright multimedia component. Called Stagefright, the vulnerability put millions of Android devices at risk, allowing remote code execution after receiving an MMS message, downloading a video file, or opening a page embedded with multimedia content. Trend Micro discovered one such vulnerability within the Stagefright library during that time that could virtually "kill" an Android device when exploited.
Google has since distributed Stagefright patches for the vulnerabilities (and said that the company would implement a regular patching schedule), but it appears that there are still some flaws that can still be exploited. Researchers from NorthBit released a document that provides details on a working Stagefright exploit of the CVE-2015-3864 vulnerability. Dubbed "Metaphor", the exploit is said to affect devices running on Android versions 2.2 to 4.0, and is able to bypass ASLR1 on versions 5.0 to 5.1.
While Google is expected to release a patch soon to fix the flaws exploited by Metaphor, it might not be fast enough. Patching the round of Stagefright bugs found last year is still said to be spotty, thanks to the number of manufacturers and carriers involved in patch distribution, and it's no different today. Owners of affected devices are advised to update their software as soon as a patch becomes available.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Building Resilience: 2024 Security Predictions for the Cloud
- Enhancing Software Supply-Chain Security: Navigating SLSA Standards and the MITRE ATT&CK Framework
- Post-Quantum Cryptography: Quantum Computing Attacks on Classical Cryptography
- Diving Deep Into Quantum Computing: Computing With Quantum Mechanics
- Distributed Energy Generation Gateway (In)Security