Talk:Stagefright (bug)

Latest comment: 7 years ago by Equinox in topic Why does a bug have its own logo?

Title should be "Android MMS vulnerabilities"

edit

Calling the article "Stagefright (bug)" is an abomination, despite WP:COMMONNAME.

  • There were several bugs announced together, not a single bug
  • Stagefright is the name of the library
  • The *real* problem is that some Android phones dangerously decode MMS messages automatically and as root. The fact that this design flaw was first exploited with some Stagefright vulns is mostly a distraction.

This article should be retitled to MMS vulnerabilities or Android MMS vulnerabilities, and a new article created for the actual Stagefright (library).

Jruderman (talk) 20:45, 4 August 2015 (UTC)Reply

Hello! Quite frankly, Jruderman, this doesn't make much sense. "Android MMS vulnerabilities" as a title makes very little sense, and everybody expects "Stagefright" as the article title. True, the bugs have been collectively named "Stagefright", and the "(bug)" disambiguation in the article title makes it clear that it isn't about the library. Moreover, it surely isn't only about the MMS-related vulnerabilities, as the bugs in Stagefright library can also be exploited by visiting specially crafted web pages (please read the references). Thus, IMHO the article should be renamed back. Furthermore, Frood, you should have waited for a discussion before renaming the article. — Dsimic (talk | contribs) 03:47, 5 August 2015 (UTC)Reply
Besides, Jruderman, the third bullet in your description looks like original research to me. Do you have any references to back it up, especially the "as root" part? Surely, disabling automatic downloading and processing of MMS messages mitigates the issue, but the automatic stuff wouldn't be a problem if we had no security-related bugs in the underlying libraries and processes. Furthermore, even if the processing of MMS messages is performed as root on some Android devices, it hasn't been exploited widely enough (or at least that isn't known publicly) until the Stagefright bug, which the article is about. As I can see on your user page, you're "a security bug hunter at Mozilla" so you probably might have some further information available, which isn't public yet; however, as we know, we need every aspect of our articles to be backed by reliable sources. — Dsimic (talk | contribs) 04:01, 5 August 2015 (UTC)Reply
Forgot to mention that even Firefox was affected by some of the bugs collectively known as "Stagefright", and that's just another reason why naming the article "MMS vulnerabilities" or "Android MMS vulnerabilities" would make very little sense. — Dsimic (talk | contribs) 04:28, 5 August 2015 (UTC)Reply
"The Bug" is as just as he says in bullet 3 and is nothing new - operators use SMS and MMS to configure the handset. Well, do you want the phone automatically loaded with voicemail and SMSC or key them all in? What they do is that the overflow a buffer, and bluntly, they have just not read the User Guide - the GSM definition. The text in the SMS that triggers the MMS is not ANSI ASCII - but ITU T.56 - and extenable character set. The LENGTH IS SET in the reference to the BLOB - that is the content. If the library reads K+1 characters, where K is the number of characters in the MMS, that is the "bug". That everyone can send a message that is "executed" is as it should be. This also applies to the iPhone, BB, Symbian - the lot, and relates to GSM. The "fix" only address the buffer overflow in a specific library, not that operators load your phone with definition and can get it to dance if they like. If your operator ("Carrier") can get the phone to dance, so can others. If the "Character Set" used to trigger the loading should be executed in a Sandbox is something that should be discussed. There is nothing here, but the name, that is specific to Android - hence that should be removed. If it is a "Bug" is arguable. It is an intended functionality, and security should be defined that can be put in place, because it is not there now. Well, do we want it, or do we accept that AT&T can make the phones in their network dance the tango?KHF 19:58, 9 November 2015 (UTC) — Preceding unsigned comment added by Khflottorp (talkcontribs)
The whole thing described in the article isn't about failing to decode text messages properly, but about the vulnerabilities in the library that's used to display multimedia content, which isn't limited to text and MMS messages. — Dsimic (talk | contribs) 21:30, 9 November 2015 (UTC)Reply

Detection App

edit

There is a Detection App.[1] Source:[2] — Preceding unsigned comment added by 91.221.58.24 (talk) 11:16, 6 August 2015 (UTC)Reply

Thanks for pointing it out, I'm working on incorporating newly released information into the article. — Dsimic (talk | contribs) 12:13, 6 August 2015 (UTC)Reply
Unfortunately, I'm too tired to do it now, will get it done later today. At the same time, I'm going to update and expand the article further, providing more context and a better layout. — Dsimic (talk | contribs) 09:28, 7 August 2015 (UTC)Reply

Outdated article

edit

This article has not had a significant update for over a year. Would the original author group please review the current status, especially with Android 7.0 now available on some devices, as of September 2016. I work for a US-based corporation that fully bans Android devices from connecting to the corporate services such as email and mobile management, because of the belief that Stagefright is still a serious issue for all Android devices. Is this belief mistaken? Haryadoon (talk) 00:48, 4 September 2016 (UTC)Reply

I've somewhat updated the article. Unfortunately phones vulnerable to stagefright that cannot be upgraded in some way should absolutely not connect to the internet at the risk of becoming a danger for its owners private life. It is outrageous that manufacturers abandoned these devices, actually letting them become expensive bricks; I'm concerned that consumers didn't start a class action. Ogoorcs (talk) 21:50, 10 June 2017 (UTC)Reply

Why does a bug have its own logo?

edit

The image is captioned "Logo of the Stagefright library bug". Who gives a bug a logo? What is the "official" etc. status of this logo? Equinox 07:43, 17 November 2017 (UTC)Reply