account arrowhead-down arrowhead-up cart mobile-menu search sm-bold-x x-skinny-rounded x-skinny arrowhead-right

Please help us improve our website

Take our customer survey to evaluate your visit.

It should only take a few minutes to answer five quick questions. Just click the Launch survey button at the end of your visit to begin.

cancel
Showing results for 
Search instead for 
Did you mean: 

Stagefright vulnerability found in most (all) Android phones

SOLVED
Enthusiast
Message 1 of 118
Message 1 of 118

Stagefright vulnerability found in most (all) Android phones

With the StageFright vulnerability supposedly allowing anyone to take over Android phones by sending a maliciously crafted MMS message or other video-based communication to your phone, will Sony address this fix on Sony Xperia smartphones?

 

Apparently, Google has provided a patch to partners. However, any word or official statement on which phone(s) will receive the patch?

 

*edit* Latest Android 5.1.1 build does not seem to contain a fix. Is there a general insight in Sony's release schedule, pertaining to addressing this issue?


Owner of an Xperia ZL. Experienced the IR Problem, TWICE
and even THRICE!
1 ACCEPTED SOLUTION

Accepted Solutions
Sony Xperia Support
Message 77 of 118
Message 77 of 118

Re: Xperia Z2 23.4.A.1.200 update: Stagefright vulnerability

Hi everyone - thanks for your comments. We would just like to reassure you following reports that some protection and detector software identifies certain Xperia devices as remaining vulnerable to the “Stagefright” flaw, despite receiving the corrective security patches.

Protection and detector software use dummy media files to assess if security patches are installed. We added media file validation checks within the firmware, that are wrongly identified as crashes and vulnerabilities by some protection software – we fully reassure all our customers that the security patches eliminate any risk posed by the “Stagefright” flaw from Xperia devices. The firmware is rolling out through our retail partners within normal and regular software maintenance, with exact timings varying by region and/or operator.

sony_sign_logo.png - Official Sony Xperia Support Staff


If you're new to our forums make sure that you have read our Discussion guidelines.
If you want to get in touch with the local support team for your country please visit our contact page.

117 REPLIES
Forum Legend
Message 2 of 118
Message 2 of 118

Re: Stagefright vulnerability found in most (all) Android phones

Contact Xperia care as we aren't able to provide an answer http://www.sonymobile.com/global-en/support/contact-us/

For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled.   Richard P. Feynman



Enthusiast
Message 3 of 118
Message 3 of 118

Re: Stagefright vulnerability found in most (all) Android phones

I figured I'd start a thread here, as this is a global issue. Many customers are affected, so I assume Support would want to centralize their communication, as opposed to dealing with thousands of individual support issues.


Owner of an Xperia ZL. Experienced the IR Problem, TWICE
and even THRICE!
Visitor
Message 4 of 118
Message 4 of 118

Re: Stagefright vulnerability found in most (all) Android phones

Perhaps a flood of support requests will act as a catalyst for action?  I've just sent one.

Message 5 of 118
Message 5 of 118

Stagefright vulnerability

The latest patch (5.1.1) does not seam to include a fix for the security issue nicknamed stagefright?

 

Stagefright is a pretty serious vulnerability where an attacker can execute arbitrary code on your android device by simply sending you an MMS or chat message. Almost all android devices are vulnerable. Fixes are available from Google.

 

References: 

http://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/
More details will be available at BlackHat in next week: https://www.blackhat.com/us-15/briefings.html#joshua-drake

 

Starting August 5th, some time after 15:00 - attacks will be seen in public.

 

Vulnerability identifiers:

CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829.

 

OEM responses:

According to Forbes, HTC has started working on releasing a fix for their devices and Nexus will get a patch next week.

CyanogenMod claims their latest release includes a fix (https://plus.google.com/+CyanogenMod/posts/7iuX21Tz7n8). The researcher, Joshua Drake, joined the CM-thread linked above and urged users to patch.

 

Status:

Currently CM seams to be the only ones to patch, do we really need to use a custom rom to be secure? 

Message 6 of 118
Message 6 of 118

Re: Stagefright vulnerability

Update: Blackphone and ASUS ZenPhone 2 also reported patched.

Inhabitant
Message 7 of 118
Message 7 of 118

Re: Stagefright vulnerability

Vulnerabilities like this really highlight how unacceptable it is for older devices to go without any updates at all, even against critical security vulnerabilities.

 

Please, Sony, help users of your older phones move off the Android train wreck. Let us migrate our devices to Firefox OS with OTA updates.

Message 8 of 118
Message 8 of 118

Re: Stagefright vulnerability found in most (all) Android phones

I contacted Sony - I felt like I was fobbed off though! Or maybe it is that they couldn't give a monkies!

 

The question I asked was if my phone (z3 compact) was impacted by stagefright and if so what the timescale for a patch was.  Here is the transcript that followed:

 

Daniel: I can advise that this is being dealt with by Google as they are the developers of all Android software. We do not currently have any information regarding this.

For further information I would suggest that you contact Google. Android updates/bug fixes are different/separate from the software updates we roll out. Bug fixes for Android are automatically sent out by Google and would update automatically on the handset, you would not be notified of this - the handset would simply receive the patch and install this itself.

If you are concerned about the security of your device or believe there may be a virus on the handset then it may be advisable to perform a software repair as this would wipe the device and get rid of any viruses or malicious software. Otherwise, with general security in mind just be cautious and avoid downloading 3rd party apps or files from insecure websites. Make sure to check app ratings and information in the Google Play Store before installing any apps.

I would also advise against making online payments or storing sensitive information on the handset if you believe the security is compromised. You can also try to prevent this from reaching your handset by disabling the automatic retrieval of MMS messages on your handset by doing the following: Go into Messaging > Settings > ensure the MMS auto download checkbox is unmarked.
Myles: That is unusual because I believe that Google can update the applications on the device.
Myles: This is an element of the actual OS and so Google have made it clear that it must be patched by the device supplier
Myles: and that they have already sent all such suppliers the correct patch
Daniel: I understand what you are saying but it is an issue Android which is owned and developed by Google so the patch would need to come from Google
Myles: The official reply is that google have passed you the patch and in the same way you will provide an Android update from 5.0.1 to 5.1.2 this security fix needs to be delivered
Daniel: Ok but the issue is with the Android operating system so the patch needs to be rolloed out by Google. For example if it were the responsibility of the manufacturer of the phone then the phones that are not Sony phones would then still have this issue. As it is an Android issue it is something that has to be patched by Google
Daniel: At this time we unfortunately have no further information other than Google would be releasing the patch to resolve this issue
Myles: I don't agree but I dislike running against brick walls
Myles: Why has Sony not released an official announcement regarding such a high profile and critical security issue?
Daniel: This announcement would need to come from Google as they develop the operating system, if there are any announcements to be made that would affect just Sony handsets then there would be an announcement made on the website and or blog

Inhabitant
Message 9 of 118
Message 9 of 118

Re: Stagefright vulnerability found in most (all) Android phones

“Daniel’s” answer is incorrect. Google does not update anything on Sony phones unless it goes through Sony first.

Message 10 of 118
Message 10 of 118

Re: Stagefright vulnerability found in most (all) Android phones

It generally came across like they didn't care which for a company the size of Sony is a shame.  The fact that there has been no official announcement even if just to say they are investigating is very bad practice.

 

The response appeared to believe it is like having a Windows security issue where by Microsoft will produce the patch...

 

Sony need to realise that the era of being able to ignore issues and pretend they don't exist has passed.  

 

Be honest and open and you will gain respect from your customers!

 

At this point I have not really been after a fix date just for them to admit that their handsets actually suffer from the issue even if it is not caused by Sony made customisations to the platform.  I was no way trying to apportion blame to Sony, I was just trying to see if they were going to take responsibility for fixing the situation that millions of their customers are currently in.