Android 32-Bit ASLR Too Weak To Block Stagefright Exploits, Says Google Researcher

Status
Not open for further replies.

brookg

Distinguished
May 1, 2009
6
0
18,510
0
It tells me that the OS itself is crappy code.
ohh wait.. we're not talking about Microsoft?
Ohh of course, I would not be the first comment here if it were microsoft... makes sense!
 

uglyduckling81

Distinguished
Feb 24, 2011
719
0
19,060
30
Are you angry a company has spent time, money and effort building a positive image with the community?
People will always be angry with a company for mistakes when they have built a poor reputation over a long period of time.
Google have built themselves up a buffer so people can give them some leeway with some mistakes.
If they constantly screw up or start dodgy practices that screw everyone over to make a quick buck their free pass will disappear as well.
 


For all the crap people say about MSFT, they actually have amazing support and actually try to fix bugs. Hell, their enhanced mitigation toolkit methods already prevent stage-fright like attacks and to this day is the only setup (win 7+ with EMT IE11) to have never been cracked in pwn2own.

More than the fact this issue exists is the problem that even if google were to solve the issue (which they won't ), they have no way to force companies to apply the security fix to phones, since the phone OS can't be patched by Google alone.
 

alextheblue

Distinguished
Apr 3, 2001
2,910
35
20,820
2
More than the fact this issue exists is the problem that even if google were to solve the issue (which they won't ), they have no way to force companies to apply the security fix to phones, since the phone OS can't be patched by Google alone.
Yeah there's going to be a lot of devices in the wild that are vulnerable without an official update path.
 

jasonkaler

Distinguished
Nov 22, 2011
478
0
19,160
105
Their approach to dealing with the problem is pathetic.
The problem is in the way the buffer works, allowing it to overflow the memory allocated to it.
They need to fix their buffers, not find workarounds.
Especially when dealing with data from untrusted sources, programmers need to take the time to add in data validation. It's not difficult to do.
 

vhawkxi

Reputable
Aug 19, 2015
1
0
4,510
0
And yet, advertisement API are still allowed by Google and other Android OS developers. They would rather make a couple of dollars out of malware adds than protect the users of the Android OS from this uncontrolled invasion of privacy and exposure to criminal software. And then they complain when the few people with brains installs add-blocking software on their devices? How long will this stupidity continue ....

Maybe it is time that they take a hint from iOS and start disallowing in-app adds.
 
Status
Not open for further replies.

ASK THE COMMUNITY

TRENDING THREADS