Talk:Stagefright (bug)
This is the talk page for discussing improvements to the Stagefright (bug) article. This is not a forum for general discussion of the article's subject. |
Article policies
|
Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL |
Archives: 1Auto-archiving period: 90 days |
This article is rated C-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||||||||||||||||||||
|
Title should be "Android MMS vulnerabilities"
[edit]Calling the article "Stagefright (bug)" is an abomination, despite WP:COMMONNAME.
- There were several bugs announced together, not a single bug
- Stagefright is the name of the library
- The *real* problem is that some Android phones dangerously decode MMS messages automatically and as root. The fact that this design flaw was first exploited with some Stagefright vulns is mostly a distraction.
This article should be retitled to MMS vulnerabilities or Android MMS vulnerabilities, and a new article created for the actual Stagefright (library).
Jruderman (talk) 20:45, 4 August 2015 (UTC)
- Hello! Quite frankly, Jruderman, this doesn't make much sense. "Android MMS vulnerabilities" as a title makes very little sense, and everybody expects "Stagefright" as the article title. True, the bugs have been collectively named "Stagefright", and the "(bug)" disambiguation in the article title makes it clear that it isn't about the library. Moreover, it surely isn't only about the MMS-related vulnerabilities, as the bugs in Stagefright library can also be exploited by visiting specially crafted web pages (please read the references). Thus, IMHO the article should be renamed back. Furthermore, Frood, you should have waited for a discussion before renaming the article. — Dsimic (talk | contribs) 03:47, 5 August 2015 (UTC)
- Besides, Jruderman, the third bullet in your description looks like original research to me. Do you have any references to back it up, especially the "as root" part? Surely, disabling automatic downloading and processing of MMS messages mitigates the issue, but the automatic stuff wouldn't be a problem if we had no security-related bugs in the underlying libraries and processes. Furthermore, even if the processing of MMS messages is performed as root on some Android devices, it hasn't been exploited widely enough (or at least that isn't known publicly) until the Stagefright bug, which the article is about. As I can see on your user page, you're "a security bug hunter at Mozilla" so you probably might have some further information available, which isn't public yet; however, as we know, we need every aspect of our articles to be backed by reliable sources. — Dsimic (talk | contribs) 04:01, 5 August 2015 (UTC)
- Forgot to mention that even Firefox was affected by some of the bugs collectively known as "Stagefright", and that's just another reason why naming the article "MMS vulnerabilities" or "Android MMS vulnerabilities" would make very little sense. — Dsimic (talk | contribs) 04:28, 5 August 2015 (UTC)
- "The Bug" is as just as he says in bullet 3 and is nothing new - operators use SMS and MMS to configure the handset. Well, do you want the phone automatically loaded with voicemail and SMSC or key them all in? What they do is that the overflow a buffer, and bluntly, they have just not read the User Guide - the GSM definition. The text in the SMS that triggers the MMS is not ANSI ASCII - but ITU T.56 - and extenable character set. The LENGTH IS SET in the reference to the BLOB - that is the content. If the library reads K+1 characters, where K is the number of characters in the MMS, that is the "bug". That everyone can send a message that is "executed" is as it should be. This also applies to the iPhone, BB, Symbian - the lot, and relates to GSM. The "fix" only address the buffer overflow in a specific library, not that operators load your phone with definition and can get it to dance if they like. If your operator ("Carrier") can get the phone to dance, so can others. If the "Character Set" used to trigger the loading should be executed in a Sandbox is something that should be discussed. There is nothing here, but the name, that is specific to Android - hence that should be removed. If it is a "Bug" is arguable. It is an intended functionality, and security should be defined that can be put in place, because it is not there now. Well, do we want it, or do we accept that AT&T can make the phones in their network dance the tango?KHF 19:58, 9 November 2015 (UTC) — Preceding unsigned comment added by Khflottorp (talk • contribs)
- The whole thing described in the article isn't about failing to decode text messages properly, but about the vulnerabilities in the library that's used to display multimedia content, which isn't limited to text and MMS messages. — Dsimic (talk | contribs) 21:30, 9 November 2015 (UTC)
Detection App
[edit]There is a Detection App.[1] Source:[2] — Preceding unsigned comment added by 91.221.58.24 (talk) 11:16, 6 August 2015 (UTC)
- Thanks for pointing it out, I'm working on incorporating newly released information into the article. — Dsimic (talk | contribs) 12:13, 6 August 2015 (UTC)
- Unfortunately, I'm too tired to do it now, will get it done later today. At the same time, I'm going to update and expand the article further, providing more context and a better layout. — Dsimic (talk | contribs) 09:28, 7 August 2015 (UTC)
Outdated article
[edit]This article has not had a significant update for over a year. Would the original author group please review the current status, especially with Android 7.0 now available on some devices, as of September 2016. I work for a US-based corporation that fully bans Android devices from connecting to the corporate services such as email and mobile management, because of the belief that Stagefright is still a serious issue for all Android devices. Is this belief mistaken? Haryadoon (talk) 00:48, 4 September 2016 (UTC)
- I've somewhat updated the article. Unfortunately phones vulnerable to stagefright that cannot be upgraded in some way should absolutely not connect to the internet at the risk of becoming a danger for its owners private life. It is outrageous that manufacturers abandoned these devices, actually letting them become expensive bricks; I'm concerned that consumers didn't start a class action. Ogoorcs (talk) 21:50, 10 June 2017 (UTC)
Why does a bug have its own logo?
[edit]The image is captioned "Logo of the Stagefright library bug". Who gives a bug a logo? What is the "official" etc. status of this logo? Equinox ◑ 07:43, 17 November 2017 (UTC)
- C-Class Computer Security articles
- Mid-importance Computer Security articles
- C-Class Computer Security articles of Mid-importance
- C-Class Computing articles
- Mid-importance Computing articles
- All Computing articles
- All Computer Security articles
- Low-importance Computing articles
- C-Class software articles
- Low-importance software articles
- C-Class software articles of Low-importance
- All Software articles