AndroidVulnerabilities.org

Stagefright

(json)

• CVE numbers: CVE-2015-1538 [nakedsecurity-stagefright], CVE-2015-1539 [nakedsecurity-stagefright], CVE-2015-3824 [nakedsecurity-stagefright], CVE-2015-3826 [nakedsecurity-stagefright], CVE-2015-3827 [nakedsecurity-stagefright], CVE-2015-3828 [nakedsecurity-stagefright], CVE-2015-3829 [nakedsecurity-stagefright]
• Coordinated disclosure?: true
• Categories: system, network
• Details: Drake said that the vulnerabilities can be exploited by sending a single multimedia text message to an unpatched Android smartphone. While the exploit is deadly, in some cases, where phones parse the attack code prior to the message being opened, the exploits are silent and the user would have little chance of defending their data. [techworm-stagefright] Stagefright is the media playback service for Android, introduced in Android 2.2 (Froyo). Stagefright in versions of Android prior to 5.1.1_r9 may contain multiple vulnerabilities, including several integer overflows, which may allow a remote attacker to execute code on the device. [cert-kb-stagefright]
• Discovered by: Joshua J. Drake [zimperium-stagefright] on: 2015-04-09 [techworm-stagefright]
• Reported on: 2015-07-21 [zimperium-stagefright]
• Fixed on: 2015-04-08 [stagefright-fix-2]
• Fix released on: 2015-08-03 [androidpolice-sprint-update]
• Affected versions: 2.2-5.1.0 [cert-kb-stagefright] regex: ([1-4].[0-9].[0-9])|(5.0.[0-9])|(5.1.[0-1])
• Affected devices: all [cert-kb-stagefright]
• Affected manufacturers: all [cert-kb-stagefright]
• Fixed versions: 5.1.1_r9 [cert-kb-stagefright]
• Submission: by: Laurent Simon, on: 2015-07-27