At the Black Hat security conference this morning, Adrian Ludwig, Google\u2019s lead engineer for Android security, assuaged fears about the recent Android Stagefright vulnerability reported to affect nearly a billion Android devices.\n\n\nThe surge in interest in the Stagefright vulnerability was precipitated by the Black Hat security conference taking place in Las Vegas. It began when Joshua Drake \u2013 security analyst with Zimperium who discovered the vulnerability \u2013 tweeted about it to promote his Black Hat talk about his discovery, pointing to his place on the conference schedule. A few days after the tweet, Drake gave an interview about the Stagefright vulnerability to National Public Radio (NPR). It was subsequently reported in Forbes, Fortune and Wired, followed by a deluge of related stories across the tech blogosphere.\n\n\nDrake had reported the vulnerability to Google in April. As Drake told NPR, \u201cWithin 48 hours I had an email [from Google] telling me that they had accepted all of the patches I sent them, which was great." Drake also confirmed Google\u2019s assessment, stating \u201c[he] does not believe that hackers out in the wild are exploiting it.\u201d\n\n\nMembers of the computer security industry adhere to a policy of responsible disclosure under which the vulnerability is kept confidential to allow time for the software vendor to patch it. Industry members also have a social responsibility to disclose the vulnerability if he or she feels the risks are great or that the vendor hasn\u2019t promptly patched it.\n\n\n[Related: Black Hat 2015: Cracking just about anything]\n\n\nAccording to Google\u2019s Ludwig, though \u2013 and contrary to what was reported by other media outlets when news of Stagefright first broke \u2013 90 percent of Android devices are protected from buffer-overflow vulnerabilities with a technology called Address Space Layout Randomization\u00a0 (ASLR). Messenger, Google\u2019s SMS app that was reported as the means to exploit the Stagefright vulnerability, will be updated to mitigate the risk of injecting harmful code into a video.\n\n\nGoogle also confirmed via email that the vulnerability \u201cwas identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected.\u201d\n\n\nLudwig said that this fix and further safeguards will be pushed to all Nexus devices starting today and Google has already sent the fix to the company\u2019s partners. Ludwig said that many of the most popular Android devices will get the update in August.\n\n\nToday\u2019s update marks the beginning of a regular monthly cycle of over the air (OTA) updates to Nexus devices that are purely focused on security to keep users safe. Google\u2019s partners will receive the corresponding source code updates each month for inclusion in similar OTA updates.\n\nBuffer overflow what?\n\nThe Android Stagefright vulnerability falls into the category of a traditional buffer-overflow exploit.\u00a0 Buffer-overflow exploits have long been a staple used by bad actors to attack every kind of computing device. They\u2019ve undergone much study by university and commercial security researchers, and many different defenses have been formulated.\n\n\nA posting on stackexchange.com describes the Android Stagefright problem:\n\n\n\n\u201c[i]t appears that certain fields in 3GPP video metadata are vulnerable to buffer overflow attacks. In short, a 3GPP video can be given a string of metadata that, at first, exceeds a certain length, and in the end includes machine code that lands in memory that is off-limits to the application.\u201d\n\n\n\nTypically, a buffer-overflow exploit writes data to memory until it overflows into a memory location used to execute code. In this case, this buffer-overflow occurs when a video contaminated with malicious code is received by the default Android MMS and Hangout messaging apps. By default, the video is downloaded automatically on arrival. The exploit is named after the Stagefright media framework that was introduced in Android 2.2 that supports local file playback and HTTP progressive streaming.\n\nGoogle\u2019s early warning system\n\nGoogle monitors for potentially harmful apps on all the Android devices and on the Google Play Store as an early warning of malicious exploits in the Android ecosystem in much the same way that the Center for Disease Control (CDC) monitors disease outbreaks.\n\n\n[Related: HP: 100% of smartwatches have security flaws]\n\n\nAt the heart of Google\u2019s early warning system is Verify Apps, a module that checks app installs for malware and runs hundreds of millions of virus-like scans every day searching for code and app behaviors that could potentially be malicious. This lets Google (like the CDC) respond proportionately to threats.\u00a0\n\n\nDrake reported that malicious code infecting videos automatically downloaded by the Messenger app could be executed. Google\u2019s Ludwig pointed out in a post to his Google+ page that just because malicious code can be covertly written to memory and executed doesn\u2019t mean that it can cause harm, due to the many defenses modern operating systems have against buffer-overflow exploits \u2013 such as ASLR.\n\n\nDespite these defenses, and Google\u2019s report that an exploit of the vulnerability had not been detected on any consumer smartphones, doesn\u2019t reduce its seriousness; Ludwig told NPR that he ranked its severity to be "high" on the Google security team's hierarchy precipitating this morning\u2019s announcement.\n\nDoes Android bring inherent risks?\n\nThe exploit does underscore a disadvantage of Android\u2019s open source strategy. The open source approach succeeded in broad proliferation of Android creating a large and diverse ecosystem of hardware makers. Just in Time (JIT) compilation and the Android Runtime (ART) make it possible for Android and all the apps to run on many different hardware designs without the involvement of Google\u2019s Android development team.\n\n\nOther than the Nexus mobile devices sold through the Google Play Store, though, Google can\u2019t directly update Android over the air. Google is dependent on the hardware makers to update their devices, and, in turn, sometimes the hardware makers are dependent on the mobile carriers to pass through the updates. In contrast, Apple can update its devices more quickly because it controls all the hardware and all the software. Does that mean that Android is at greater risk for security exploits? We don\u2019t know. Android is an open source project. Security researchers as well as cybercriminals are drawn to read the source code for different reasons \u2013 one to protect, the other to compromise. Android exploits receive a lot of attention because its openness makes good subject matter for commercial and academic security research. Other platforms such as iOS aren\u2019t as accessible, so they aren\u2019t as frequently discussed.\n\n\nBut no one knows the relative safety of the three different mobile platforms: iOS, Android or Windows 10 Mobile. Google has been reporting Android malware since the Virus Bulletin conference in 2013. Beginning this year, Google began to comprehensively and quantitatively report Android\u2019s safety. The Android Security 2014 Year in Review [pdf] breaks down the frequency and types of Android exploits, and pegs fewer than 0.15 percent of devices using the Google Play store have any kind of potentially harmful app installed. Apple and Microsoft don\u2019t report exploits affecting their platforms, making comparison impossible.