Android 32-Bit ASLR Too Weak To Block Stagefright Exploits, Says Google Researcher

[Lucian Armasu]

Stagefright vulnerabilities just got worse, with Google security researchers announcing that Android's weak 32-bit ASLR doesn't do much to protect devices against exploits.

Android 32-Bit ASLR Too Weak To Block Stagefright Exploits, Says Google Researcher : Read more

 

[brookg]

It tells me that the OS itself is crappy code.
ohh wait.. we're not talking about Microsoft?
Ohh of course, I would not be the first comment here if it were microsoft... makes sense!

 

[uglyduckling81]

Are you angry a company has spent time, money and effort building a positive image with the community?
People will always be angry with a company for mistakes when they have built a poor reputation over a long period of time.
Google have built themselves up a buffer so people can give them some leeway with some mistakes.
If they constantly screw up or start dodgy practices that screw everyone over to make a quick buck their free pass will disappear as well.

 

[basroil]

It tells me that the OS itself is crappy code.
ohh wait.. we're not talking about Microsoft?
Ohh of course, I would not be the first comment here if it were microsoft... makes sense!

For all the crap people say about MSFT, they actually have amazing support and actually try to fix bugs. Hell, their enhanced mitigation toolkit methods already prevent stage-fright like attacks and to this day is the only setup (win 7+ with EMT IE11) to have never been cracked in pwn2own.

More than the fact this issue exists is the problem that even if google were to solve the issue (which they won't ), they have no way to force companies to apply the security fix to phones, since the phone OS can't be patched by Google alone.

 

[alextheblue]

More than the fact this issue exists is the problem that even if google were to solve the issue (which they won't ), they have no way to force companies to apply the security fix to phones, since the phone OS can't be patched by Google alone.

Yeah there's going to be a lot of devices in the wild that are vulnerable without an official update path.

 

[jasonkaler]

Their approach to dealing with the problem is pathetic.
The problem is in the way the buffer works, allowing it to overflow the memory allocated to it.
They need to fix their buffers, not find workarounds.
Especially when dealing with data from untrusted sources, programmers need to take the time to add in data validation. It's not difficult to do.

 

[vhawkxi]

And yet, advertisement API are still allowed by Google and other Android OS developers. They would rather make a couple of dollars out of malware adds than protect the users of the Android OS from this uncontrolled invasion of privacy and exposure to criminal software. And then they complain when the few people with brains installs add-blocking software on their devices? How long will this stupidity continue ....

Maybe it is time that they take a hint from iOS and start disallowing in-app adds.