You may have seen news that a vulnerability has been discovered in Android software Stagefright, which lets attackers send malware directly to any device where they know the phone number.
Chris Wysopal, CISO and CTO at Veracode, the application security specialists commented on the news that a vulnerability has been discovered in Android software Stagefright.
Chris Wysopal, CISO and CTO at Veracode :
“This is Heartbleed for mobile – a remotely exploitable vulnerability that affects millions of Android-based phones and tablets. These are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS. All an attacker needs to do is send an MMS to a user’s device phone number and sit back and wait for the malware to take over. It will be very interested to see how Google responds to this. They’ll have to drive the patch quickly and in a manner that impacts every affected device at the same time. Waiting for handset manufacturers or carriers to issue a patch would be problematic since it could take a month or more before each party issues a patch. This would leave a big window for an attacker to reverse engineer the first patch issued by whichever party to create an exploit that would impact any device. We’re likely to see Google force down a tool that addresses the vulnerability for everyone.”[su_box title=”About Veracode” style=”noise” box_color=”#336588″]Veracode is a leader in securing web, mobile and third-party applications for the world’s largest global enterprises. By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market – without compromising security.Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.