Through a post on its forum early on Friday (Hong Kong time), OnePlus has announced that it is releasing an update to its Oxygen OS Android ROM for OnePlus One, to patch the Stagefright bug. The Oxygen OS 1.0.2 update can be downloaded directly from the OnePlus forum through the links provided by the Head of Mobile Product at OnePlus, Helen. While it is good news for the Oxygen OS ROM users of OnePlus One, Cyanogen users are probably still left wondering when they will get the long-awaited update to patch the vulnerability. While CyanogenMod Nightly 12.1 has reportedly already patched the bug, Cyanogen OS is expected to patch it up once the company releases its stable 12.1 build at some stage over the next few weeks. Just to remind readers that the OnePlus One was originally launched with Cyanogen OS, but after an acrimonious fallout between the companies, OnePlus launched its own Android-based ROM called Oxygen OS, which is now pre-installed as default on the OnePlus 2.
As for the current update, it is expected to patch up a vulnerability in Android’s ‘Stagefright’ multimedia library. The flaw was originally discovered by Zimperium zLabs and reportedly allows hackers to take control of a device remotely, by injecting malicious code through a multimedia file sent via an MMS (Multimedia Messaging Service). The only info needed by a hacker is the phone number of the intended victim. While many OEMs and carriers have only recently started rolling out patches, a report published on Thursday by Exodus Intelligence is already questioning the effectiveness of the patch, by pointing out that one of its security researchers found “a severe problem with the proposed patch”. If true, the current set of patches might actually need further patching before the bug can actually be gotten rid of.
While Google reportedly did not reply to the concerns raised by Exodus Intelligence, it does say that the vulnerability may affect as many as 950 million Android devices worldwide, which isn’t that hard to believe, as Stagefright has been Android’s multimedia library since the days of 2.2 Froyo. After the initial discovery was made public back in late July, Google released an official statement about the vulnerability, saying, “currently over 90% of Android devices have a technology called ASLR enabled, which protects users from this issue. We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update”. It is not yet known if the company is working on the concerns raised by Exodus Intelligence.