The bug is part of Stagefright, a piece of code in Android that plays back media in MMS (multimedia message). All a hacker needs to do is send an MMS containing the exploit to the phone number of an Android device, which would let him or her write code to it and access any part of the phone that Stagefright has permissions for.
Drake says he originally told Google about the exploit back in April and sent patches to fix the bugs. “Basically, within 48 hours I had an email telling me that they had accepted all of the patches I sent them, which was great,” he said to NPR. “You know, that’s a very good feeling.” The problem is, Android OS is notoriously difficult to update unless your carrier and phone vendor both play ball and coordinate a patch rollout.
Adrian Ludwig, Android Security’s lead engineer at Google, told NPR, “The flaw ranks as high in their hierarchy of severity; and they’ve notified partners and already sent a fix to the smartphone makers who use Android, [but] whether it gets put into people’s phones is not in Google’s hands.”
This is what happens when you put OS updates in the hands of companies that would rather sell you a new device than spend the effort patching the one you have, especially when there are hundreds and hundreds of different models out there, each with their own custom code on top of Android and woven into it in various fashions. Patching it will be a nightmare, and will depend entirely on how each manufacturer and carrier approach and resolve the problem individually.
No comments:
Post a Comment