In light of Google being forced to reissue a patch for the Stagefright vulnerability after the initial fix failed, Tod Beardsley, security engineering manager, Rapid7 has provided the following comment.
“The problem Google is facing is not so much shipping security vulnerabilities in popular software products, everyone ships bugs, it happens. The real problem we’re seeing today is a break down in the Android patch pipeline.
In this case, two critical components of Google’s vulnerability handling process are failing. First, it is extremely difficult for Google, or anyone else, to get updated software into the hands of users. Even Nexus devices, which Google has the most direct control over, will have to wait until a Septemeber release for an update to the insufficient Stagefright patch. This lag time between having a fix in hand and distributing it to the user base is simply too slow to be reasonably safe. If malicious actors choose to exploit this set of vulnerabilities in the meantime, there seems to be nothing everyday users can do to defend themselves.
The other break down in the Stagefright feedback process was Google’s handling of Exodus’s alert about the flawed patch, by not responding in a timely way. Many companies struggle with first contact with researchers reporting vulnerabilities, but this is not Google’s first rodeo. After all, Google’s Project Zero report out vulnerabilities to other major vendors routinely with certain expectations on communication. They need to be able to practice what they preach a little better in this area if Android users are to be confident in Google’s stewardship of the codebase.”
Rapid7 security data and analytics software and services help organizations reduce the risk of a breach, detect and investigate attacks, and build effective IT security programs. With comprehensive real-time data collection, advanced correlation, and insight into attacker techniques, Rapid7 strengthens an organization’s ability to defend against everything from opportunistic drive-by attacks to advanced threats. Unlike traditional vulnerability management and incident detection technologies, Rapid7 provides visibility, monitoring, and insight across assets and users from the endpoint to the cloud. Dedicated to solving the toughest security challenges, Rapid7 offers proprietary capabilities to spot intruders leveraging today’s #1 attack vector: compromised credentials. Rapid7 is trusted by more than 3,700 organizations across 90 countries, including 30% of the Fortune 1000.