Credit: Uncalno Tekno Google has released another patch for the Stagefright vulnerability after a security firm said the first one didn’t fix it.Hundreds of millions of Android devices are vulnerable to Stagefright. A device can be compromised merely through the receipt of a specially crafted multimedia message (MMS), so an attacker needs only the victim’s phone number.The flaw was found by Joshua Drake at mobile security firm Zimperium, which submitted a set of patches along with its bug report. Google released its first patch for Stagefright last week.But a researcher with another security firm, Exodus Intelligence, discovered a flaw in the patch intended to fix Stagefright. He crafted a malicious MP4 file that could bypass the fix. Exodus notified Google on Aug. 7 but didn’t get a response and decided to make the information public, Aaron Portnoy, an Exodus vice president, said in a blog post. Google has since acknowledged Exodus’s report and assigned it as CVE-2015-3864. Portnoy wrote that he was surprised such a major vulnerability didn’t get an effective patch the first time around.“Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period,” he wrote. “If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?” In a statement Thursday, Google said it had sent its latest fix to its partners. Devices in its Nexus line, including the Nexus 4, 5, 6, 7, 9, 10 and the Nexus Player, will receive an over-the-air update as part of the company’s monthly patch update for September.Google said at the Black Hat security conference earlier this month it would issue monthly security patches for Android devices after Stagefright exposed millions of devices to attack. Major vendors such as Microsoft, Adobe Systems and Oracle have for years released security fixes on a regular schedule.But the problem with mobile devices is that operators play a key role in distributing patches. While for the last three years Google has sent patches to mobile operators, it was up to those companies to send the patches to users. That process happened slowly if at all.Major Android manufacturers including Samsung and LG have also committed to working with carrier partners to distribute monthly patches.Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe