5

I saw a question about Android's "Stagefright" vulnerability, and I got to thinking: other OS'es pre-process MMS messages to make it easier to view. iOS does it and shows a preview. Even BREW OS (the OS that comes with a basic flip/slider phone) has an option to auto-download an MMS.

If the vulnerability operates by exploiting a flaw in a 3GPP video's metadata, then wouldn't iOS and many other mobile OS's be susceptible to this vulnerability? Or is it just Android's "Hangouts" app?

Community
  • 1
DDPWNAGE
  • 195
  • 7

1 Answers1

7

The bug isn't with the file format, it's with the software of Hangouts the Android software library. iOS, Android, and Windows phones run system software from three different groups of developers. As such, this vulnerability probably doesn't exist on other platforms. Even if it did, one payload couldn't affect all three systems, because their software isn't binary compatible at the ABI (application binary interface) level of the OS. A valid exploit in system code on one system that caused, say, a rootkit install would likely only cause the other systems to crash, which would still be bad, but the systems could probably recover without too much trouble.

phyrfox
  • 5,724
  • 20
  • 24
  • 1
    I see. Code does different things on different OSes. One binary might not work with iOS, but it'll work with Android. Thank you for the detailed answer! – DDPWNAGE Jul 29 '15 at 03:13
  • 3
    The bug isn't with hangouts, the problem is the software which decodes media. Hangouts is just a vector for getting those decoders to decode things – Squidly Jul 29 '15 at 10:19
  • If it only were a bug in Hangouts this wouldn't be such a problem because it would be easy to push an update through Play Store. This bug really shows the security value of using CM compared to stock Android. – efr4k Jul 29 '15 at 11:49
  • @MrBones Fair enough. The main point of the answer was simply to state that a vulnerability, especially one that targets system software on a certain operating system, can't propagate to other systems, like Windows Phone, iOS, Windows Desktop, or Mac OSX, unless they shared the same code. – phyrfox Jul 29 '15 at 13:34
  • @DDPWNAGE "One binary might not work with iOS, but it'll work with Android." is not the right way to think about this particular bug; that's like asking if my Mazda is affected by a defect in Chrysler's manufacturing. StageFright is an issue with how Android implemented the 3GPP decoder, which is buried deep in the compiled OS code. Each OS will have its own implementation of this library. – Mike Ounsworth Jul 29 '15 at 13:48
  • @ephrack "This bug really shows the security value of using CM compared to stock Android." -- Can you explain why you think that's true? In this case CyanogedMod got the patch early because the guy who found it happened to be a big open-source contributor ([see his commit history](https://github.com/jduck?tab=activity)). I happen to agree with you that CM is more secure, but not for any reason that has to do with StageFright. – Mike Ounsworth Jul 29 '15 at 14:01
  • @MikeOunsworth Because fragmentation. If you're on a nightly channel for CM you get updates and fixes all of the time. With stock you have to wait until your phone manufacturer and in some cases your network provider to push an OTA update. And that is IF they'll even push an update... – efr4k Jul 29 '15 at 14:11
  • @ephrack Cool, those are the arguments I had in mind too, but I think quick patch distribution is also true for Nexus Android and iOS. I'm sure it's not unique to CM. – Mike Ounsworth Jul 29 '15 at 14:31
  • @MikeOunsworth That's true. – efr4k Jul 29 '15 at 14:45
  • @MikeOunsworth Actually, BlueBox states this: "Typically, Nexus devices will have to wait until the next major Android release for fixes to be received." I do not know if this is true though. – efr4k Jul 30 '15 at 08:16