3

This answer (to what can you do about Stagefright) says "use Firefox". Why is FF not vulnerable and Chrome is?

Community
  • 1
Clay Nichols
  • 1,369
  • 6
  • 19
  • 33

1 Answers1

2

Firefox have used Android's StageFright Media Library which is disabled by default in Firefox for Android after the stage fright issue is found in Android devices. So the Firefox browser tries to use the Hardware decoder first and then the software decoder as a fallback. You can see the about:config page and search for stagefright keyword. Based on this article,

If Firefox does not recognize your hardware decoder, it will use a safer (but slower) software decoder. Daring users can manually enable hardware decoding. Enter about:config as described above and search for “stagefright”. To force hardware video decoding, change the “media.stagefright.omxcodec.flags” preference to 16. The default value is 0, which will try the hardware decoder and fall back to the software decoder if there are problems (Bug 797225). The most likely problems you will encounter are videos with green lines or crashes.

So if you are using Firefox make sure that the about:config values for the flags media.stagefright.omxcodec.flags and stagefright.disabled and stagefright.force-enabled stays default (i.e. 0, false, false).

Screenshot_Firefox_about:config-stagefright

Screenshot (click to enlarge)

While Zimperium zLabs' VP of Platform Research and Exploitation, Joshua J. Drake hasn't said not to use Chrome. But he has suggested that Firefox is your best bet to avoid hacking by browser in his tweet.

Lucky
  • 3,331
  • 8
  • 34
  • 53
  • us to clarify: stagefright.disabled = false, correct? (seems poorly named setting. Disabled=false would mean true to me.) – Clay Nichols Sep 02 '15 at 13:16
  • Yes, stagefright.disable = false is correct and is the default value. Updated the answer with screenshot with default values of a freshly installed Firefox. – Lucky Sep 02 '15 at 13:40