Researchers say that the first attempt by Google to patch the Android Stagefright vulnerability was incomplete and still left devices at risk to exploit. Google will not be able to push out the full patch until September.

The first attempt at a fix was a bundle of six patches released early last week by Google for its line of Nexus devices. However, researchers found that one of the patches was incomplete, so devices were still at risk after the patch.

The Stagefright flaw was first disclosed by Zimperium zLabs about three weeks ago. The vulnerability could allow remote code execution via an exploit delivered in a specially crafted MMS message. The flaw does affect Android versions 2.2 and newer, but Google has stated that versions 4.1 and newer use memory address space layout randomization (ASLR) which makes a successful exploit much more difficult.

Android version 4.1 and newer make up 91% of the market, according to Google’s latest platform statistics. That still leaves millions of older devices at higher risk, but experts say it also lowers the likelihood that enterprises would be at risk, especially those with MDM policies requiring newer devices for employees.  

According to Tod Beardsley, engineering manager at Boston-based Rapid7 LLC, the problem is not a flaw in the Android software, but rather in the process for remediating those issues.

“Shipping vulnerabilities literally happen to everyone, so everyone needs to be prepared to fix vulnerabilities before the bad guys get a chance to exploit them,” Beardsley said. “This means having reasonable patch pipelines in place for the inevitable security bug event. The Android ecosystem, today, isn’t tooled for this. Patches can hit Google’s source tree, but it takes weeks to months to get these patches on the devices in users’ hands, with enormous, heroic effort. And even after this heroism, large chunks of the population won’t get these patches at all.”

Because of Google’s patching policies, it is also unclear what versions of Android will be receiving patches at all. Earlier this year in dealing with vulnerabilities in the Android WebView component, Google said it would not provide patches to Android versions 4.3 and older. This would leave the devices at the highest risk for exploit via Stagefright without patches.

Google did not respond to comment requests on this matter at the time of this publication.

Beardsley said it may be time that Google fundamentally rethink the patching process on Android.

“Google recognized the problem of operating system updates when PC Browsers had bugs, and the Google Chrome engineering teams designed in continuous patching. Now, it’s practically impossible for regular users to avoid running the latest Chrome,” Beardsley said. “I hope the Android teams get to this point sooner rather than later. A month of lag time for a fix for high-profile issues like the ones in Stagefright is a dangerous race to run with malicious actors.”