The update to fix the Stagefright flaw is the first in a series of security patches that manufacturers of Android devices have decided to deliver each month.
As PC makers, Google, Samsung, and LG will begin rolling out monthly security patches for Android devices to address chronic issues with critical vulnerabilities that regularly undermine the security of their users. First, they will deliver a fix for the Stagefright flaw that currently exposes hundreds of millions of Android smartphones. For years, security experts have warned of slow Android device updates, even when manufacturers bother to release a patch to close a critical vulnerability. Mobiles and tablets running Android have been increasingly targeted by hackers looking to steal data or impersonate users.
To finally address this problem, “Google will deliver a monthly over-the-air security update for its Nexus devices,” Adrian Ludwig, chief Android security engineer, said at the Black Hat conference being held. until today in Las Vegas. “Nexus devices will continue to receive major updates for at least two years and security patches for up to three years from initial availability, or 18 months from the end-of-sale date of the device. device on the Google Store,” he further wrote in a blog post. “The first update, delivered yesterday, is primarily intended to fix the Stagefright vulnerability,” he said.
Stagefright takes control of the terminal remotely
Most Android devices are exposed to the Stagefright flaw, which allows remote control of the device to be taken over using a simple specially crafted multimedia message (MMS). For this, the attacker does not even need to know the victim’s phone number. “For three years, Google has been providing manufacturers with almost monthly notices of security patches,” wrote the chief engineer, but this does not necessarily mean that these updates reach users, in particular because their deployment requires agreements with mobile operators.
“Samsung is currently in discussions with operators around the world to implement this new strategy,” the Korean manufacturer said in a blog post. “We will soon give more details on the modalities and the timetable that we have been able to put in place with these operators and our partners”. Samsung has also started an accelerated update system for its line of Galaxy terminals in order to protect them as quickly as possible against the Stagefright flaw. At the Black Hat 2015 conference, Adrian Ludwig also announced that LG had made a similar commitment.
Microsoft started its monthly Patch Tuesday in 2003
It was in 2003 that Microsoft began to deliver monthly patches, its famous Tuesday Patch. The increasing number of flaws identified in its operating systems increasingly worried security experts. Microsoft continues to deliver patches on the second Tuesday of each month. For more critical vulnerabilities, the vendor sometimes breaks this schedule by delivering an emergency patch. In 2009, Adobe Systems also implemented a regular patching schedule as its products became a prime target for hackers. For its part, Oracle provides a quarterly update, which is generally quite extensive.