Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There's hype, but is there any actual information about the vulnerability anywhere? Best I was able to find was this:

  http://blog.zimperium.com/the-biggest-splash-at-blackhat-and-defcon-2015/
Even a CVE?


Referenced CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829 issues seem to still be in reserved status.


https://www.facebook.com/hakam.naser.al.deen


From the short description in the article we know that the bug is somewhere in the default video codec paths. (Triggerable by embedded and automatically processed video file.) Of course that doesn't tell much, since the potential attack surface is a big one.

I wouldn't rule out browser as attack vector but I do think the heavy sandboxing at least limits damage and scope. As the article points out, messaging apps are in a different class.

Will be interesting to see how this develops. And because the vulnerability is in the system libraries, any app that can deliver video content may be used as an attack vector.


The vulnerabilities are in Android's "stagefright" media internals. Patches are floating around, for example: http://review.cyanogenmod.org/#/c/103270/1


Wow! They managed to distill everything that's wrong with the infosec industry into one page!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: