Finally, Google And OEMs Get Serious About  Patching Android/Linux

It’s not enough to have the most ubiquitous OS on the planet.“My guess is that this is the single largest software update the world has ever seen. Hundreds of millions of devices are going to be updated in the next few days. It’s incredible. All Nexus devices are going to be patched, and Samsung, Motorola, HTC, LG, Sony, Android One, and hundreds of other manufacturers are going to push out the patches too”
 
See Biggest security update in history coming up: Google patches Android hijack bug Stagefright
Vulnerabilities will happen and you’ve got to fix them to remain credible in the markets. It took M$ decades to get serious about security by which time it was too late. Their installed base was riddled with malware and waves of security breaches. Android/Linux has stayed fairly secure by comparison but the installed base is so huge now that something more had to be done.

Too bad they can’t commit to patching “forever”. My old smartphone still runs Android/Linux 2.*… 😉

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology and tagged , , , , , , , . Bookmark the permalink.

14 Responses to Finally, Google And OEMs Get Serious About  Patching Android/Linux

  1. oiaohm says:

    The reality is if the carriers are forced by governments to take phone network security serous-ally then OEM in turn will take it serous-ally and phones without updates will not exist.

    OEM want to move product if their products will not work with carriers network due to be blacklisted they cannot sell product right kurkosdr.

    Two parties control phone network security. Carriers and Governments.

  2. oiaohm says:

    kurkosdr when it comes to phones carriers have final word. How do you think a OEM will last if carriers agreed to disconnect their product from the network.

    –And carriers do let updates go through eventually. But if the OEM says “no update”, it means no update.–
    No idiot kurkosdr there are documented cases in the time of Symbian OS being the dominate phone OS having updates and carriers never letting updates into network.

    OEM says here is a update and carrier says no the update might never be deployed history backs this state of affairs.

    Carriers have in the past blacklisted particular OEM makers phones for being insecure junk. You don’t hear of those OEM phone makers any more. Part of the panic from OEM over the SMS issue is how offended carriers were. OEM vendors under no case wants Carriers to hit the blacklist option.

    Also here is something horible but true. The kernel version of android is linked to the first number of android. So 4.3 and 4.4 take exactly the same drivers because they are the same or close enough kernel to be ABI compatible to drivers. So coming out and saying google needs to LTS 4.3 or 4.4 means you know absolute nothing about this topic and are 100 percent determined to prove yourself as a moron kurkosdr.

    –The fix is available only for lollipop devices.–

    FUNNNY how much of a moron are you. Disabling the feature is a security patch option for those prior to 5.0. There was a key reason why I mentioned adb shell solutions. Of course you know that little about the topic you would make this mistake. Also the carriers could brick particular features like INTERNET access.

    Carriers have options to manage this. OEM of phones can find developers fairly quickly when its a sledge hammer of no more network access threat from carriers.

  3. dougman says:

    Oh you mean “malvertising”, that’s more a Win-Dohs problem. Linux does not suffer the woes of Win-Dohs.

    So, as you brought up Yahoo malvertising, this particular bit for Yahoo was for desktop computers and Windows computers, suffering abuse by-way of Adobe flash, YET AGAIN!

    http://adage.com/article/digital/malwarebytes-researcher-explains-yahoo-s-malvertising-attack/299839/

    I will beat you to the punch line, since I see where you are going with this, so I will say it. There has not yet been a single widespread Linux virus or malware infection of the type that is common on Microsoft Windows anywhere.

    Linux malware does not have the persistence like some of the crap one finds for Win-Dohs. You bring up lack of security upgrades for old devices, but fail to mention VERY OLD vulnerabilities affecting current versions of Win-Dohs.

    http://www.nextofwindows.com/what-to-do-with-this-18-year-old-still-unpatched-vulnerability-in-all-windows-versions

    http://www.techradar.com/us/news/computing/old-windows-security-flaw-resurfaces-to-steal-your-login-1290933

    What about people that use XP? They no longer get security updates, think of them and the horror!

    http://www.pcworld.com/article/2846004/microsoft-fixes-severe-19-year-old-windows-bug-found-in-everything-since-windows-95.html

    See, ONLY for VISTA…POOR XP users no help for them! *SNIFF*

  4. kurkosdr says:

    Since when having two hoops to jump through (OEMs and carriers) is better than one (carriers)?

    And carriers do let updates go through eventually. But if the OEM says “no update”, it means no update.

    In addition, Google is shifting the blame here. The fix is available only for lollipop devices. If your device’s SoC doesn’t have Lollipop drivers, or the OEM doesn’t want to spend massive R&D to port all their customizations to Lollipop, your device won’t get the fix, because Google doesn’t even LTS 4.3 and 4.4 when it comes to security patches. And Pogson had the nerve to rant about MS not fixing a vuln in the ancient Server 2003 some months ago.

    Nice double standards.

  5. oiaohm says:

    kurkosdr basically dougman is more correct than you. At least he will not have false faith in a Windows Phone Device.

    –Sure, if one updates an older phone to the latest Android, they can get updates for years and years as well and WP7? Are you serious!?….LOL, no one uses now wants that POS. Lets see, the latest release was in March 13, 2013 and has been unsupported since October 14, 2014,–

    This is only part of the story.

    100 percent of the problem with phones not getting updates is carriers. They have the power to kick non updated phones out network. They have the power to make sure updates have been deployed.

    Think who sold you those phones that are android and don’t have firmware updates. Reality phone makers change to make updates. Carriers decide not to pay for the service Phones don’t get updates.

  6. oiaohm says:

    https://www.change.org/p/at-t-microsoft-stop-the-blocking-of-device-software-updates-by-at-t-and-all-carriers
    This is Windows Phone 7.
    http://www.windowscentral.com/vodafone-australia-wont-offer-windows-phone-81-update-1-htc-8x-and-lumia-630
    Here is Windows Phone 8.

    kurkosdr really idiot here. The facts of the matter even if you have a Windows Phone device you might find it has not installed updates because the carrier has blocked it.

    So Windows Phone device might be no better off than having an Android due to carriers actions.

    Iphones can find carriers bundling OS settings into carrier provided updates that might improve or decrease your security as well.

  7. kurkosdr says:

    Why are you attempting to compare VISTA, a POS operating system to stable and highly valued OS such as Android?

    Translation from dogbrain-ese to English: “Since I don’t have an answer to the fact old (circa 2007) MS OSes receive all the security patches of their vendor, and WP7 does too, while barely old Android versions (like 4.3 or 4.4) won’t, let alone 3 and 4 year old Android devices, I will throw some verbal poop around and try to divert the discussion from security patching to popularity and market share, thinking nobody will notice”.

    You do realize there is a reason it’s you I call dogbrain, and not -say- Ohioham or Adam King?

    ——-

    For the use I make of it, there is no security problem.

    You are aware that “trustworthy” sites like Yahoo and YouTube have been targeted by malvertzing (containing exploits for vulns) in the past? Does your use case involve any kind of web surfing? If so, when using your phone, you are essentially an XP user, surfing only “trustworthy” sites and hoping nothing bad (malvertizing event) will happen.

    And so is anyone who has an Android device not running Lollipop.

    So… you supposedly care about security in this blog, yet you cheer for Android in this blog.

    PS: Also, I still remember your rants about the Windows font vulns, despite the fact patches were shipped to anyone running Vista or newer. When stagefright gets patched only for the newest version, you are all smiling winky emotions. Niicee… (nice double standard, that is)

  8. oiaohm says:

    –Even if your phone “hasn’t broken OpenMax” -ask ohioham what that means- how do you plan to fix other Android security vulns in the future? D–
    kurkosdr This is a narrow minded idiot.

    2g encryption was cracked 4 years ago. Yet how many carriers around the earth still operate 2g networks. This does not matter how good your phone is if the protocol you are connecting with is borken.
    https://srlabs.de/decrypting_gsm/
    Hardware cost 500 dollars. With that hardware you can crack the network even send calls on other users accounts.

    What about the great sim heist encryption theft. Not a single carrier has done a sim card recall.

    Sorry the Android security issues are a tip of a very big iceberg.

    Now if maker of phone will not give me the means to unlock the boot loader and inload own firmware I worry. Even if they do it still does not mean the phone is not root-kitted. Why the software that controls the phones radio has higher privilege that the user OS that Android/Windows Phone is. The OS code controlling the phone radio in a lot of devices could send the complete content of the device to network.

    kurkosdr the reality in most cases the complete phone network is not properly patched little allow worry about the part in our hands.

    Is it possible for Carriers to be proactive against unpatched phones. Hell yes.

    IMEI (International Mobile Equipment Identity )of a phone tells the Carrier the model of phone. In fact its a 100 percent unique number.

    The bullshit here is that insecure devices can be locked out Moblie phone networks. Updates deployed inside the carriers network can be ticked off by IMEI number. So disable internet/mms/sms by phone until it installs updates is more than possible.

    This is why when I said it was fixable by adb shell and you complained that is too hard for normal users why I ignored you. Shop staff of carriers are the ones who would need to be trained how todo it. Yes the software could be automated. Dock phone allow adb shell have software auto audit and correct configuration for security. If the phone openmax or equal is broken attempt to sell/provide customer with new phone.

    So number of insecure devices that should be in the phone networks around the world if carrier were serous the answer is zero.

    Security weaknesses in items like wifi tablets that don’t have a unique ID number that is a different problem.

  9. dougman says:

    There is no world in which 45 pages of policy documents and opt-out settings split across 13 different Settings screens and an external website constitutes “real transparency.”

    Microsoft, ““We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders)”

    http://www.wnd.com/2015/08/windows-10-spies-on-emails-images-credit-cards-more/

  10. kurkosdr wrote, “how do you plan to remedy the security hole in your phone?”

    For the use I make of it, there is no security problem. It’s mostly turned off when not in use and the probability of anyone fooling with it with wireless turned off on my walks is incredibly low. At home, I mostly use it to get time of day/weather/connect to Beast. Essentially, someone would have to pwn my network to access the smartphone, so the smartphone is not at issue.

  11. dougman says:

    KUKU,

    Why are you attempting to compare VISTA, a POS operating system to stable and highly valued OS such as Android?

    Sure, if one updates an older phone to the latest Android, they can get updates for years and years as well and WP7? Are you serious!?….LOL, no one uses now wants that POS. Lets see, the latest release was in March 13, 2013 and has been unsupported since October 14, 2014,

    The Windows phone is one BIG failure!

    https://bgr.com/2015/08/03/windows-phone-failure-microsoft-engineer/

    https://www.quora.com/Why-cant-Microsoft-just-take-any-useful-steps-to-save-the-Windows-Phone-platform

    “In short, Windows phone had to compete with two of the best tech companies in the world – one that put phones at its #1 priority and the other expertly leveraging open source community. It was a fool’s errand. It is crazy for Microsoft to compete in phones or online services”

  12. kurkosdr says:

    unlatched = unpatched (autocorrect)

  13. kurkosdr says:

    Too bad they can’t commit to patching “forever”. My old smartphone still runs Android/Linux 2.*…

    For the record, Windows Vista users still receive security patches, and I ‘ve upgraded 9-year old laptops to Win7 which will receive patches for years.

    But I am glad to see poor users being liberated from the tyrrany of MS by buying mobile devices with Android which they control and can easily update (in case your browser doesn’t support the new HTML6 sarcasm tags, that was sarcasm).

    Even WP7 which doesn’t receive upgrades, does receive security upgrades when needed.

    (Also, gotta love the smile in the winky emoticon, you should have put sad face or anger face or sad winky)

    (Also, in this blog you have lambasted poor security practices by many companies, which means you care a lot about security. So, how do you plan to remedy the security hole in your phone? Even if your phone “hasn’t broken OpenMax” -ask ohioham what that means- how do you plan to fix other Android security vulns in the future? Do you have an answer for that question, or you admit you willfully operate an unlatched OS with vulns and all your talk about security in this blog was bubble talk???)

  14. dougman says:

    I would take Android over any M$ dogfood.

    An open ecosystem is far superior over a closed one. You can take Android Open Source Project (AOSP) code today and make your own version of Android today. If you want to, you can even take a page from CyanogenMod’s book and make an Android that works with multiple devices instead of being tied to one vendor’s smartphones and tablets. You can also build commercially viable operating systems off Android without Google Mobile Service (GMS) apps.

    Try to do that with any M$ system….LOL

    And to the M$ fools that state that “Android is NOT Linux”, well you can compile the Android code since Linux 3.3 kernel and it will boot.

Leave a Reply

Your email address will not be published. Required fields are marked *