ANDROID "STAGEFRIGHT" VULNERABILITY - SECURITY PATCH RELEASE DATE???

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
I'm Here A Lot
Posts: 6

ANDROID "STAGEFRIGHT" VULNERABILITY - SECURITY PATCH RELEASE DATE???

Does anyone know  when Android users on the Roger's Network will be receiving a security patch for the "StageFright" bug?

 

My understanding is that this is a serious security vulnerability affecting most Andriod Devices.  Google has created a fix for the issue, and to the best of my understanding made it available to device vendors.  When will Roger's make this available to its customers?

 

***Edited Labels***

 

Highlighted
I'm a Trusted Advisor
Posts: 32,019

Re: ANDROID "STAGEFRIGHT" VULNERABILITY - SECURITY PATCH RELEASE DATE???

Hello @axium

Unfortunately there is no way to know when this will be released or be given a specific ETA. This is actually my first time hearing this on any Canadian tech site or forums. So it seems maybe it's not as big as it sounds?.. Either way the update will most likely come out once the carriers get the update, work on it and test it. Until then there isn't much information.
Highlighted
I'm Here A Lot
Posts: 6

Re: ANDROID "STAGEFRIGHT" VULNERABILITY - SECURITY PATCH RELEASE DATE???

I am not an I.T Security Expert.  Thus, I rely on the opinions and analysis of those individuals with this expertise.  From what they say, this is a very serious security vulnerability with the potential to be widespread and result in serious exploits.

 

As the Rogers Community, we have a right to know what steps will be taken to address this and also it is appropriate that we areprovided with a time-line for these actions.

 

Phones today are used by people for far more than communicating.  Phones are used to track personal schedules, for banking, for stock market trading.  As such, it is imperative our devices remain secure.

Highlighted
I'm a Trusted Advisor
Posts: 32,019

Re: ANDROID "STAGEFRIGHT" VULNERABILITY - SECURITY PATCH RELEASE DATE???

Hello @axium

Again i haven't seen this go public at all so not many are aware of this and most likely isn't a big issue if it hasn't been made public or Rogers hasn't said much about it.

Yes i agree but also again Rogers will ONLY make comments if when they know for sure it's a security issue and then they will say something. Until then again there isn't much to go on.


If your " sources" know its a huge issue, it should have been announced on the media and also on tech blog sites which i haven't yet. Either way we shall see.
Highlighted
I'm Here A Lot
Posts: 6

Re: ANDROID "STAGEFRIGHT" VULNERABILITY - SECURITY PATCH RELEASE DATE???

Highlighted
I'm a Trusted Advisor
Posts: 32,019

Re: ANDROID "STAGEFRIGHT" VULNERABILITY - SECURITY PATCH RELEASE DATE???

Hello @axium

As you read the article, Google said they will release it to the Nexus devices First as of next week and then go on from there. Please read the statement below that they made in the article u posted.



"As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we'll be releasing it in open source when the details are made public by the researcher at BlackHat."

Google has the capacity to send software updates directly to Nexus devices and various applications downloaded through Google play, but updates to the operating systems of other Android-powered phones are distributed through manufacturers themselves, in conjunction with wireless service providers."

This also means that Samsung, HTC, Sony and any other Android device that carriers have are controlled via the manufacturer and carrier for the updates. Again as i said until either the manufacturer or Rogers ( any carrier for that matter) says anything, there isn't much to go on.

Highlighted
I'm Here A Lot
Posts: 6

Re: ANDROID "STAGEFRIGHT" VULNERABILITY - SECURITY PATCH RELEASE DATE???

Thank you for the reply. If you would take five minutes and read about Stagefright, you would quickly see that the patch developed by Google has already been released to Nexus devices. I posted this article because in your previous response you wrote:

"Again i haven't seen this go public at all so not many are aware of this and most likely isn't a big issue if it hasn't been made public or Rogers hasn't said much about it. 

Yes i agree but also again Rogers will ONLY make comments if when they know for sure it's a security issue and then they will say something. Until then again there isn't much to go on. "

Thus, I referenced the article.

My hopes with this post were to bring some attention to this matter. Ideally, I would like to see Rogers taking a proactive approach. Why do we need to wait for this to become something horrible before it is addressed? The fact of the matter is that there is a patch available. As customers of Rogers we are forced to wait for them to provide the needed update. I would hope that could happen before the exploit becomes public knowledge and before my device is suseptible (technically it already is).

Here is another article for your reading pleasure:

https://nakedsecurity.sophos.com/2015/07/28/the-stagefright-hole-in-android-what-you-need-to-know/

The article states:
"What to do?
Try asking your device vendor whether a patch is available already. You may be able to get ahead of the game.

If you can’t get a patch right now, find out when to expect it so that you can apply it as soon as you can." There are other recommendations to prevent the researchers noted implementation to exploit the bug -MMS. However, there are many other ways this could be achieved. A patch would simply eliminate the threat.

Do you feel it unreasonable to request this information from Rogers? More importantly, I would question why they would not want to release this information.

Let's put it this way for comparison purposes. There are a number of severe health problems for which we can be immunized. Most often a person will simply get immunized and eliminate the possibility of contracting the illness.

With this security vulnerability, "StageFright", we have an immunization (security patch). Having the ability to apply this patch to our devices would eliminate all risk.

Do you feel that it is somehow not in the best interest of Rogers customers for this security update to be released? More specifically, to be released before something bad happens? I admit there is no certainty this would happen. Having said that, the security patch would make it certain.
Highlighted
I've Been Here Awhile
Posts: 4

Re: ANDROID "STAGEFRIGHT" VULNERABILITY - SECURITY PATCH RELEASE DATE???

I'm with axium on this one. The vulnerability sounds very serious and so far not a word from Rogers.

Worse yet is that the bug was highlighted to Google in April with patches on how to fix it. Google can't force operators to provides the patches. (http://www.theguardian.com/technology/2015/jul/28/stagefright-android-vulnerability-heartbleed-mobil...

And the cherry on top is that the person who discovered the bugs is making the details public at security conferences next week. With detail knowledge, those that know how to exploit will.. (http://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/)

Highlighted
I Plan to Stick Around
Posts: 10

Re: ANDROID "STAGEFRIGHT" VULNERABILITY - SECURITY PATCH RELEASE DATE???

I wouldn't expect an update any time soon. The updates have to go through several steps - 1) Google creates & tests patch(es), 2) Google passes to phone manufacturers (HTC/Samsung/etc), 3) It then goes to ISP's/Cell phone providers (Rogers, in this case). 

 

My problem (I fear) is that I have a Saumsung phone (who are notorious for being slow to release updates), on Rogers (who is also notorious for being slow to release updates). Realistically, an ETA I would wager would be a year out. I would expect it'll be a long time. 

 

Could you imagine if Windows updates had to go through Dell/HP/IBM and then your ISP before they got rolled out? People would be freaking out. This stagefright thing is potentially vulnerable on almost a Billion (with a B) phones, and it seems no one is rushing to fix it. IMO this should be top priority! 

 

In the meantime, go into your MMS settings and either shut it off entirely, or set it to not auto-retrieve. Or turn the thing off until it updates. 

 

In the end, we probably won't see an update for this in 2015. I'd put my money on it.

Highlighted
Retired Moderator
Retired Moderator
Posts: 700

Re: ANDROID "STAGEFRIGHT" VULNERABILITY - SECURITY PATCH RELEASE DATE???

Hello Community

 

Our customers’ security is a top priority. We are aware of this potential vulnerability and are working with our device manufacturer partners to ensure our customers are protected.

 

As a work around we are recommending users to disable the auto-playing feature for MMS messages on their device for their Text Messaging Apps (includes built in text messaging app that came with the device, Google Hangouts or any 3rd party messaging app you may use).  To do this:

 

  1. Go to App Settings
  2. Disable ‘Auto-retrieve’ for MMS messages in the Messaging app's settings.
    *Settings may vary

 

RogersAsif