Update: 10th January 2016:
Further updates addressing newer issues within libstagefright have been made available. Please see this more recent blog post for details.
In early November Google began rolling out an update to it’s Android smartphone operating system to resolve 7 CVEs (defined)(2x critical severity, 4x high severity and 1x moderate severity). This update brings Android to Build version LMY48X The newest version of Android version 6.0 (known as Marshmallow) also includes these fixes if it’s patch level is dated the 1st of November or later. This update includes 4 fixes relating to more vulnerabilities in Stagefright (discussed in a previous blog post).
Why Should These Issues Be Considered Important?
The 4 issues related to Stagefright were assigned critical and high severity by Google. Such critical flaws will allow an attacker the ability to have the device carry out any instruction they wish (otherwise known as remote code execution). Google provides more specifics in it’s Google Groups post which includes that attackers could try to exploit these flaws when playing back media in a web browser or via an MMS message (defined).
How Can I Protect Myself From These Issues?
Fixes for these issues began to be made available on the 5th of November to Google Nexus devices. Manufacturers such as Samsung received these updates on the 5th of October.
As mentioned by Sophos you may need to ask your device manufacturer or mobile carrier when this update will be made available to you. As discussed in my previous post on Android updates, please ensure to only apply updates from your mobile carrier or device manufacturer.