Revision history [back]
 | 1 | initial version | posted 2015-07-27 23:14:16 +0300 |
[security] is Alien Dalvik affected by "Stagefright" vulnerability?
excerpt from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
| | 2 | No.2 Revision |
[security] is Alien Dalvik affected by "Stagefright" vulnerability?
excerpt from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 3 | No.3 Revision |
[security] is Alien Dalvik affected by "Stagefright" vulnerability?
excerpt from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 4 | No.4 Revision |
[security] is Alien Dalvik affected by "Stagefright" vulnerability?
excerpt EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
exceprt from changelog:
Backport stagefright vulnerability fix.
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 5 | No.5 Revision |
[security] is Alien Dalvik affected by "Stagefright" vulnerability?
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
exceprt excerpt from changelog:
Backport stagefright vulnerability fix.
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 6 | No.6 Revision |
[security] is Alien Dalvik affected by "Stagefright" vulnerability?
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0 excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 7 | No.7 Revision |
[security] is Alien Dalvik affected by "Stagefright" vulnerability?
[CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460]
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0 excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 8 | No.8 Revision |
[security] is Alien Dalvik affected by "Stagefright" vulnerability?
[CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460]
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
2.0.0 excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 9 | No.9 Revision |
[security] is Alien Dalvik affected by "Stagefright" vulnerability?
[CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460]
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the
agendaagenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 10 | No.10 Revision |
[security] is Alien Dalvik is affected by "Stagefright" vulnerability?vulnerability!
as Stagelight is the Android-Flashplayer...
[CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460][CVE-2016-2460] recent vulnerabilities...
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 11 | No.11 Revision |
[security] Alien Dalvik is affected by "Stagefright" vulnerability!
as Stagelight Stagefright is the Android-Flashplayer...
[CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 12 | No.12 Revision |
[security] Alien Dalvik is affected by "Stagefright" vulnerability!
as Stagefright is the Android-Flashplayer... [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 13 | No.13 Revision |
[security] Alien Dalvik is affected by "Stagefright" vulnerability!
as Stagefright is the Android-Flashplayer...
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 14 | No.14 Revision |
[security] Alien Dalvik is affected by "Stagefright" vulnerability!
as Stagefright is the Android-Flashplayer...
Android-Flashplayer [unfixed status Jul2016]:
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499][CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508
high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756
moderate: CVE-2016-3764 CVE-2016-3766
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 15 | No.15 Revision |
[security] Alien Dalvik is affected by "Stagefright" vulnerability!vulnerabilities!
as Stagefright is the Android-Flashplayer [unfixed status Jul2016Aug2016]:
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508
high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756
moderate: CVE-2016-3764 CVE-2016-3766CVE-2016-3766
new ones Aug2016: critical: CVE-2016-3819, CVE-2016-3821
high: CVE-2016-3823, CVE-2016-3824, CVE-2016-3826, CVE-2016-3830
moderate: CVE-2016-3835
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 16 | No.16 Revision |
[security] Alien Dalvik is affected by "Stagefright" vulnerabilities!
as Stagefright is the Android-Flashplayer [unfixed status Aug2016]:
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508
high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756
moderate: CVE-2016-3764 CVE-2016-3766
new ones Aug2016: critical: CVE-2016-3819, CVE-2016-3821
high: CVE-2016-3823, CVE-2016-3824, CVE-2016-3826, CVE-2016-3830
moderate: CVE-2016-3835CVE-2016-3835
so don't use android-browser and be afraid of hummingbad-infection
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 17 | No.17 Revision |
[security] Alien Dalvik is affected by "Stagefright" vulnerabilities!Do we get absolutely essential fix for Stagefright-vulnerabilities?
as Stagefright is the Android-Flashplayer [unfixed status Aug2016Sep2016]:
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508
high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756
moderate: CVE-2016-3764 CVE-2016-3766
new ones Aug2016: critical: CVE-2016-3819, CVE-2016-3821
high: CVE-2016-3823, CVE-2016-3824, CVE-2016-3826, CVE-2016-3830
moderate: CVE-2016-3835
critical: CVE-2016-3861 CVE-2016-3862
high: CVE-2016-3863 CVE-2016-3870 -72 CVE-2016-3879-81
so don't use android-browser and be afraid of hummingbad-infection
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 18 | No.18 Revision |
Do we get absolutely essential fix for Stagefright-vulnerabilities?
as Stagefright is the Android-Flashplayer [unfixed status Sep2016]:
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508
high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756
moderate: CVE-2016-3764 CVE-2016-3766
new ones Aug2016: critical: CVE-2016-3819, CVE-2016-3821
high: CVE-2016-3823, CVE-2016-3824, CVE-2016-3826, CVE-2016-3830
moderate: CVE-2016-3835
critical: CVE-2016-3861 CVE-2016-3862
high: CVE-2016-3863 CVE-2016-3870 -72 CVE-2016-3879-81
so don't use android-browser and be afraid of hummingbad-infection
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 19 | No.19 Revision |
Do we get absolutely essential fix for Stagefright-vulnerabilities?
as Stagefright is the Android-Flashplayer [unfixed status Sep2016Oct'2016]:
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508
high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756
moderate: CVE-2016-3764 CVE-2016-3766
new ones Aug2016: critical: CVE-2016-3819, CVE-2016-3821
high: CVE-2016-3823, CVE-2016-3824, CVE-2016-3826, CVE-2016-3830
moderate: CVE-2016-3835
critical: CVE-2016-3861 CVE-2016-3862
high: CVE-2016-3863 CVE-2016-3870 -72 CVE-2016-3879-81
CVE-2016-3879-81
Oct'16: high CVE-2016-3909, CVE-2016-3910, CVE-2016-3913, CVE-2016-3920
so don't use android-browser and be afraid of hummingbad-infection
And fear combining stagefright with dirty cow!
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 20 | No.20 Revision |
Do we get absolutely essential fix for Stagefright-vulnerabilities?
as Stagefright is the Android-Flashplayer "Android-Flashplayer". This does NOT only affect users of aliendalvik as libstagefright is present in /system/lib . So all Jolla-device users are hit by those vulnerabilities [unfixed status Oct'2016Apr'2017]:
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508
high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756
moderate: CVE-2016-3764 CVE-2016-3766
new ones Aug2016: critical: CVE-2016-3819, CVE-2016-3821
high: CVE-2016-3823, CVE-2016-3824, CVE-2016-3826, CVE-2016-3830
moderate: CVE-2016-3835
critical: CVE-2016-3861 CVE-2016-3862
high: CVE-2016-3863 CVE-2016-3870 -72 CVE-2016-3879-81
Oct'16: high CVE-2016-3909, CVE-2016-3910, CVE-2016-3913, CVE-2016-3920
Apr'17: critical CVE-2017-0541 high: CVE-2017-0547 moderate: CVE-2017-0558
so don't use android-browser and be afraid of hummingbad-infection
And fear combining stagefright with dirty cow!
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvik
| | 21 | No.21 Revision |
Do we get absolutely essential fix for Stagefright-vulnerabilities?
as Stagefright is the "Android-Flashplayer". This does NOT only affect users of aliendalvik as libstagefright is present in /system/lib . So all Jolla-device users are hit by those vulnerabilities [unfixed status Apr'2017]:
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508
high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756
moderate: CVE-2016-3764 CVE-2016-3766
new ones Aug2016: critical: CVE-2016-3819, CVE-2016-3821
high: CVE-2016-3823, CVE-2016-3824, CVE-2016-3826, CVE-2016-3830
moderate: CVE-2016-3835
critical: CVE-2016-3861 CVE-2016-3862
high: CVE-2016-3863 CVE-2016-3870 -72 CVE-2016-3879-81
Oct'16: high CVE-2016-3909, CVE-2016-3910, CVE-2016-3913, CVE-2016-3920
Apr'17: critical CVE-2017-0541 high: CVE-2017-0547 moderate: CVE-2017-0558
so don't use android-browser and be afraid of hummingbad-infection
And fear combining stagefright with dirty cow!
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is at least present on jollas with installed Alien Dalvikjollas
| | 22 | No.22 Revision |
Do we get absolutely essential fix for Stagefright-vulnerabilities?
as Stagefright is the "Android-Flashplayer". This does NOT only affect users of aliendalvik as libstagefright is present in /system/lib . So all Jolla-device users are hit by those vulnerabilities [unfixed status Apr'2017]:
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508
high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756
moderate: CVE-2016-3764 CVE-2016-3766
new ones Aug2016: critical: CVE-2016-3819, CVE-2016-3821
high: CVE-2016-3823, CVE-2016-3824, CVE-2016-3826, CVE-2016-3830
moderate: CVE-2016-3835
critical: CVE-2016-3861 CVE-2016-3862
high: CVE-2016-3863 CVE-2016-3870 -72 CVE-2016-3879-81
Oct'16: high CVE-2016-3909, CVE-2016-3910, CVE-2016-3913, CVE-2016-3920
Apr'17: critical CVE-2017-0541 high: CVE-2017-0547 moderate: CVE-2017-0558
so don't use android-browser and be afraid of hummingbad-infection
And fear combining stagefright with dirty cow!
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is present on jollasjollas (even without aliendalvik)
# ls /opt/alien/system/lib
lists libstagefright ,so it is present on jollas with aliendalvik additionally (so on these devices you'll find 2 versions of it, both vulnerable)
| | 23 | No.23 Revision |
Do we get absolutely essential fix for Stagefright-vulnerabilities?Stagefright-vulnerabilities (some are remote-attackable)?
as Stagefright is the "Android-Flashplayer". This does NOT only affect users of aliendalvik as libstagefright is present in /system/lib . So all Jolla-device users are hit by those vulnerabilities [unfixed status Apr'2017]:
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508
high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756
moderate: CVE-2016-3764 CVE-2016-3766
new ones Aug2016: critical: CVE-2016-3819, CVE-2016-3821
CVE-2016-3819 remote, CVE-2016-3821 remote high: CVE-2016-3823, CVE-2016-3824, CVE-2016-3826, CVE-2016-3830
moderate: CVE-2016-3835
critical: CVE-2016-3861 CVE-2016-3862
high: CVE-2016-3863 CVE-2016-3870 -72 CVE-2016-3879-81
Oct'16: high CVE-2016-3909, CVE-2016-3910, CVE-2016-3913, CVE-2016-3920
Apr'17: critical CVE-2017-0541 high: CVE-2017-0547 moderate: CVE-2017-0558
so don't use android-browser and be afraid of hummingbad-infection
And fear combining stagefright with dirty cow!
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is present on jollas (even without aliendalvik)
# ls /opt/alien/system/lib
lists libstagefright ,so it is present on jollas with aliendalvik additionally (so on these devices you'll find 2 versions of it, both vulnerable)
| | 24 | No.24 Revision |
Do we get absolutely essential fix for Stagefright-vulnerabilities (some are remote-attackable)?
as Stagefright is the "Android-Flashplayer". This does NOT only affect users of aliendalvik as libstagefright is present in /system/lib . So all Jolla-device users are hit by those vulnerabilities [unfixed status Apr'2017]:
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508
high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756
moderate: CVE-2016-3764 CVE-2016-3766
new ones Aug2016: critical: CVE-2016-3819 remote, CVE-2016-3821 remote
high: CVE-2016-3823, CVE-2016-3824, CVE-2016-3826, CVE-2016-3830
moderate: CVE-2016-3835
critical: CVE-2016-3861 CVE-2016-3862
high: CVE-2016-3863 CVE-2016-3870 -72 CVE-2016-3879-81
Oct'16: high CVE-2016-3909, CVE-2016-3910, CVE-2016-3913, CVE-2016-3920
Apr'17: critical CVE-2017-0541 high: CVE-2017-0547 moderate: CVE-2017-0558
so don't use android-browser and be afraid of hummingbad-infection
And fear combining stagefright with dirty cow!
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is present on jollas (even without aliendalvik)
# ls /opt/alien/system/lib
lists libstagefright ,so it is present on jollas with aliendalvik additionally (so on these devices you'll find 2 versions of it, both vulnerable)
| | 25 | No.25 Revision |
Do we get absolutely essential fix for Stagefright-vulnerabilities (some are remote-attackable)?
as Stagefright is the "Android-Flashplayer". This does NOT only affect users of aliendalvik as libstagefright is present in /system/lib (<- BULLSHIT!) . So all Jolla-device users are hit by those vulnerabilities [unfixed status Apr'2017]:
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508
high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756
moderate: CVE-2016-3764 CVE-2016-3766
new ones Aug2016: critical: CVE-2016-3819 remote, CVE-2016-3821 remote
high: CVE-2016-3823, CVE-2016-3824, CVE-2016-3826, CVE-2016-3830
moderate: CVE-2016-3835
critical: CVE-2016-3861 CVE-2016-3862
high: CVE-2016-3863 CVE-2016-3870 -72 CVE-2016-3879-81
Oct'16: high CVE-2016-3909, CVE-2016-3910, CVE-2016-3913, CVE-2016-3920
Apr'17: critical CVE-2017-0541 high: CVE-2017-0547 moderate: CVE-2017-0558
so don't use android-browser and be afraid of hummingbad-infection
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is present on jollas (even without aliendalvik)
# ls /opt/alien/system/lib
lists libstagefright ,so it is present on jollas with aliendalvik additionally (so on these devices you'll find 2 versions of it, both vulnerable)
| | 26 | No.26 Revision |
Do we get absolutely essential fix for Stagefright-vulnerabilities (some are remote-attackable)?
as Stagefright is the "Android-Flashplayer". This does NOT only affect users of aliendalvik as libstagefright is present in /system/lib (<- BULLSHIT!) . So all Jolla-device users are hit by those vulnerabilities [unfixed status Apr'2017]:
[CVE-2015-6602] [CVE-2016-0803] [CVE-2016-0810] [CVE-2016-0815] [CVE-2016-1621] [CVE-2016-0826] [CVE-2016-0827] [CVE-2016-0829] [CVE-2016-0837] [CVE-2016-0838] [CVE-2016-0841] [CVE-2016-2416] [CVE-2016-2417] [CVE-2016-2428] [CVE-2016-2429] [CVE-2016-2448] [CVE-2016-2449] [CVE-2016-2450] [CVE-2016-2451] [CVE-2016-2452] [CVE-2016-2459] [CVE-2016-2460] recent vulnerabilities...
new ones added June2016: critical: [CVE-2016-2463] [CVE-2016-2464] high: CVE-2016-2476 CVE-2016-2477 CVE-2016-2478 CVE-2016-2479 CVE-2016-2480 CVE-2016-2481 CVE-2016-2482 CVE-2016-2483 CVE-2016-2484 CVE-2016-2485 CVE-2016-2486 CVE-2016-2487 CVE-2016-2495 moderate: [CVE-2016-2499]
new ones Jul2016: critical: CVE-2016-2506 CVE-2016-2507 CVE-2016-2508
high: CVE-2016-3745 CVE-2016-3746 CVE-2016-3747 CVE-2016-3753 CVE-2016-3754 CVE-2016-3756
moderate: CVE-2016-3764 CVE-2016-3766
new ones Aug2016: critical: CVE-2016-3819 remote, CVE-2016-3821 remote
high: CVE-2016-3823, CVE-2016-3824, CVE-2016-3826, CVE-2016-3830
moderate: CVE-2016-3835
critical: CVE-2016-3861 CVE-2016-3862
high: CVE-2016-3863 CVE-2016-3870 -72 CVE-2016-3879-81
Oct'16: high CVE-2016-3909, CVE-2016-3910, CVE-2016-3913, CVE-2016-3920
Apr'17: critical CVE-2017-0541 high: CVE-2017-0547 moderate: CVE-2017-0558
so don't use android-browser and be afraid of hummingbad-infection
EDIT 20151022: Vulnerability is fixed in System-Update 2.0.0
excerpt from changelog:
Backport stagefright vulnerability fix.
EDIT 20160320: Android component is still not completely fixed. lpr in a comment below:
no, google is still fixing it up. The vulnerability was more complex and not done with a simple fix... still on the agenda
interesting link: upcoming driveby infection of Android (the very described cve in the article is fixed in Jolla...)
Original Post:
from the linked article:
Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android.
They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted.
From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
# ls /system/bin
lists stagefright ,so it is present on jollas (even without aliendalvik)
# ls /opt/alien/system/lib
lists libstagefright ,so it is present on jollas with aliendalvik additionally (so on these devices you'll find 2 versions of it, both vulnerable)