Forristal first responsibly disclosed the flaw to Google in February of this year. It is currently known by Google as Android security bug 8219321.
The flaw is present in all versions of Android from 1.6 forward. Forristal said that all of Google’s Open Handset Alliance Android partners got the patch code in March. The patch has now also surfaced in the CyanogenMod, after-market firmware for rooted Android devices.
Forristal stressed that bug finders and vendors should always actively communicate and take the time necessary to move forward and manage the risk from reported flaws.
In the case of this master key flaw, Google initially set the timeline for disclosure at 90 days, with the idea being that by June many Android ecosystem partners would already have fixes out to users.
While Google has made patched code available to Android vendors, it’s not clear whether all vendors and their carrier partners have made the patched code available to end-users.
In order to determine if you are at risk, Forristal has built an app on the Google Play store to identify the patched code.