[jokr004]

Is it really that concerning? What's the worst case scenario here? If the worst thing that can happen is you get served audio that you weren't expecting then I don't really see the big deal. I'm not immediately aware of any way that someone might use this as an attack vector, but then I'm not really a security guy..

[problems]

If say, Spotify used a vulnerable audio decoder (or called into an OS one that was vulnerable), it could be used by an attacker to deploy an exploit against your device.

Now - is that very likely? Probably not, even if such a vulnerability exists modern exploit mitigation tactics often are able to prevent it from becoming very harmful. But it's worst case.

Android itself has had big media decode vulnerabilities in the past (looking at you libstagefright) but they basically turned out not to be readily exploitable due to ASLR on modern devices.

[bonzini]

> Android itself has had big media decode vulnerabilities in the past (looking at you libstagefright) but they basically turned out not to be readily exploitable due to ASLR on modern devices.

That's what the optimist says.

The pessimist says, "Android itself has had big media decode vulnerabilities in the past and they only turned out not to be readily exploitable due to ASLR on modern devices".

[problems]

Haha, yeah, I was actually sort of looking forward to the fallout from an MMS worm, brings back the good ol' days of Blaster and Sasser. Might have beat Android updates into shape too.

Unfortunately that dream never came to light.

[j_s]

iOS too: (these were just fixed, vs. the mid-2016 ones)

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2...

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2462

[jokr004]

Ok that makes sense, thanks!