Google Fixes Rooting Vulnerabilities In Android

itwbennett writes: Google released over-the-air firmware updates for its Nexus devices Monday and will publish the patches to the Android Open Source Project (AOSP) repository by Wednesday, fixing a new batch of vulnerabilities in Android that could allow hackers to take over devices remotely or through malicious applications. The new patches address six critical, two high and five moderate vulnerabilities. The most serious flaw is located in the mediaserver Android component, a core part of the operating system that handles media playback and corresponding file metadata parsing.

Re:

[LichtSpektren]

You're right for the crappo sub-$100 phones, but flagships and Nexus devices do get the security updates.

Re:Android security? lol!

[minus9]

"No one will get these fixes."

Not even the people who are mentioned in the article you're replying to? The ones with Nexus devices that the fixes were pushed out to on Monday?

Re:

[Anonymous Coward]

I can't wait to get these updates for my Galaxy Nexus!

Re:

[BronsCon]

You mean your 4 year old phone that you bought while Google had a published 2 year (from first sale) major update, 3 year (again, from first sale; or 18mo from last sale in the Google store) security update policy? If you're claiming you didn't know what you were buying, that's on you. That said, there's nothing stopping you from installing Chroma on it; Android 6.0.1, splt-screen windowing, and a host of other features, including these updates once the maintainers issue another release after the updates hi

Re:

[swillden]

You mean your 4 year old phone that you bought while Google had a published 2 year (from first sale) major update, 3 year (again, from first sale; or 18mo from last sale in the Google store) security update policy? If you're claiming you didn't know what you were buying, that's on you.

To be fair, Google didn't have an official support policy for Nexus devices when the Galaxy Nexus was released. In fact, Google didn't have such a policy until August 2015. It was understood previously that devices would get updates for a couple of years, but there was no specific commitment.

Actually, it seems that official update policies for mobile devices are a new idea. AFAICT Google's was the first, and I don't know that any other company has yet matched it. That includes Apple -- though in practice

Re:

[BronsCon]

In fact, Google didn't have such a policy until August 2015.

I'll take your word, given that you're a Google engineer, but I seem to recall reading the policy before I bought my Nexus 6 in November 2014. I was under the impression that they had simply rewritten the policy and issued a few press releases in August 2015.

Re:

[Forever Wondering]

I just got an OTA update that fixed the stagefright vuln for my [Boost] Galaxy S3. AFAICT, it was [mostly] just security fixes, which is fine.

IMO, Google had to create the tools for the "rapid response" updates, which they did. Now, [IMO smart] vendors like Moto, Samsung, et. al. are beginning to use them.

As a computer engineer myself, I use git. I know how relatively easy it is to apply source patches to older tree branches using it. Since git is at the core of Android source tree development, this is al

Re:

[BronsCon]

Well, yes, if you by the cheap shoddy ones, they are. Here's a tip: don't buy cheap shoddy crap.

New old stock as entry-level phone

[tepples]

Many Android devices have a guaranteed update period of time. eg: 2 years for the Moto G (180$).

Is that two years after you buy one new or just two years after release day? Some carriers sell previous generation phones as entry-level devices. They're "new" in the sense of never having been used since burn-in by the manufacturer, but they're new old stock [wikipedia.org].

Re:

[Lunix Nutcase]

Motorola hasn't guaranteed what the GP states. Motorola has made promises of things but there's no contract to provide updates.

Re:

[Lunix Nutcase]

Guaranteed by what? Where's the legally-binding contract you have with Motorola for 2 years of updates?

Re:

[bill_mcgonigle]

Guaranteed by what? Where's the legally-binding contract you have with Motorola for 2 years of updates?

Did they advertise it? Did he buy one? Then its a contract that the courts will enforce.

Don't make the mistake of confusing the paper of a written contract for a contract. Of course it's cheaper to buy a new phone than engage in a court battle since we don't have marketable torts [youtube.com] in the current Western systems.

Re:

[Lunix Nutcase]

Did they advertise it? Did he buy one? Then its a contract that the courts will enforce.

No, they haven't which is why I'm asking how he got a contract from Motorola for 2 years of updates. At best Motorola has made non-committal statements about updates but nowhere have they ever gave a legally-binding guarantee of 2 years of updates. The fact that the 2015 Moto E won't get Marshmallow is an attests to no such legally-binding guarantee.

Don't make the mistake of confusing the paper of a written contract for a contract. Of course it's cheaper to buy a new phone than engage in a court battle since we don't have marketable torts [youtube.com] in the current Western systems.

I'm not mistaking anything. Don't make the mistake of assuming things since you're not a very good mind reader.

Re:

[BronsCon]

Or a Nexus device. I already have these updates.

Re:

[Krojack]

I already got them. So you want to correct yourself?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[tepples]

My phone makes calls that cost money

I thought the majority of smartphones were on plans with unlimited talk and text by now, and that major U.S. carriers were making pay-per-minute plans available only for dumbphones.

Re:

[Penguinisto]

Depends on another factor entirely - the destination phone number (e.g. if that phone # begins with 1-900 ).

A dialer that surreptitiously dialed a cost-per-minute "premium" phone number would be a way for a black hat to make money. Doesn't have to be more than a minute or two a week per phone, say $2.50/call per week per phone ($10 per month would be small enough to pass muster for most users, who would pay it without a second thought, if they even checked their phone bill). $10/mo multiplied by N victims w

Re:

[tepples]

What else would I need to block at the carrier other than 1-900 and international calls?

Re:

[Penguinisto]

Depends (err, again)... sometimes 'premium' numbers are 1-866 or 1-877, and internally shift to a 1-900 (though your phone wouldn't see that happen). I only pointed out 1-900 for clarity/shorthand more than anything else.

Re: Android security? lol!

[Miamicanes]

That was briefly true for a short time in the 90s (the ESS switching protocol exposed functionality whose security assumed it was under the control of a responsible phone company, but could be abused by malicious clients), but not any more. The vulnerability was fixed, and the FCC made it clear that any charges for fraudulently redirected calls HAD to be refunded to consumers. That's part of the reason why mobile phone carriers block calls to those numbers outright... they aren't required by law to particip

Blocked

[tepples]

I wasn't aware that U.S. carriers were even allowing international calls by default without letting the subscriber set up and agree to a rate plan for them. Otherwise, an app that takes the dialer permission for itself would just get "This number is blocked."

Re:

[golgotha007]

Oh, this is all FUD. Hackers of these exploits aren't using them to place long distance phone calls.

Re:

[fluffernutter]

You have a point if this happens... I personally haven't heard of it happening. Plus I'm sure if it did happen, the phone company would refund the charge.

Re:

[fluffernutter]

I did some googling and found the pwn2own vulnerability, but to do that you have to have a fake station in range of your phone, so it seems highly unlikely any given person would ever get hit by it. Are there any highly practical attacks that can dial a phone without someone knowing?

Sweet

[afidel]

That means end users will be able to use these to root their devices for the next 12-18 months since the patches won't be applied by most OEM's before then. On the downside it means you can be spearfished through an MMS.

Re:

[greenfruitsalad]

i'd much rather see nice, solaris style RBAC built into android.

Re:

[guacamole]

I am not even sure if your comment is on topic, but I recall that RBAC is basically Sun's answer to sudo. As usual, instead of adopting in a well known, well liked, and well understood open source program into Solaris 8, Sun came up with its own "RBAC", which only works on Solaris and barely anyone used it.

Re:

[greenfruitsalad]

what i mean is that running android applications as root is currently necessary to achieve some goals (e.g. app backups) but stupid from a security point of view - all or nothing permissions. that's one of the reasons google isn't too keen on this.

instead, i'd like a finer grained privilege escalation that's well integrated into the system instead of a dangerous hack. RBAC as implemented in solaris or aix is a beautiful way of doing such things (not so much in HP-UX). it is more advanced than sudo but not a

Re:

[ITRambo]

Turn off push MMS. Problem solved.

Re:

[110010001000]

And Bluetooth, since there is a privilege escalation issue there too (CVE-2015-6641). In fact, just turn off everything, then you will be completely safe. Maybe. Just to be 100% sure, keep the phone off and pull the battery.

Re:

[BronsCon]

And the same applies to and computer system. Funny, that.

Re:

[aynoknman]

Drop it in a bucket of water just to be sure.

Re:

[LichtSpektren]

That means end users will be able to use these to root their devices for the next 12-18 months since the patches won't be applied by most OEM's before then. On the downside it means you can be spearfished through an MMS.

Perhaps I'm misreading your post, but you seem very confused. Unlike jailbreaking iPhones, where one has to find some tiny privilege escalation vulnerability before Apple does and then abuse it to flash a custom ROM, Android is designed to allow rooting fairly easily. In fact, Google themselves provide a page that gives layman instructions to how to unlock the bootloader and flash the stock ROM for their Nexus devices (https://developers.google.com/android/nexus/images); that includes all the latest securit

Re:

[tepples]

Unlocking the bootloader and flashing a ROM requires a backup, wipe, and restore. What's the easiest way for a user to be sure that a backup tool downloaded from Google Play Store actually saved everything in a way that it can restore?

Re:

[LichtSpektren]

Use Carbon (Titanium is superior if you're already rooted, but Carbon should do the trick). Try deleting an app and restoring it from backup as a test. Unfortunately there's no way to be 100% sure unless you test every single app you wanted to backup, but that's true of all backup systems unfortunately.

Helium or Carbonite?

[tepples]

Just to be sure, did you mean ClockworkMod Helium (formerly Carbon) [clockworkmod.com], or did you mean Carbonite [carbonite.com]? I'm guessing Carbonite is responsible for the rename to Helium [droid-life.com].

Mouse Slip on Comment Mod: Windows 10

[IceAgeComing]

Hi Licht,

My mouse failed when I was moderating one of your Windows 10 comments, and I accidentally selected "Redundant" instead of "Insightful". I wanted to let you know, and this was the only way I knew how without undoing my other mods.

Re:

[swillden]

Unlocking the bootloader and flashing a ROM requires a backup, wipe, and restore. What's the easiest way for a user to be sure that a backup tool downloaded from Google Play Store actually saved everything in a way that it can restore?

What apps do you use that need to be backed up? Games, I suppose... if you care about having your progress saved.

Personally, I don't worry about backup/restore. When I reflash, or get a new device, I just start clean. Pretty much everything I'd care to back up and restore is synced to the cloud anyway, so it just shows up. Android Marshmallow made it particularly slick the most recent time. It asked if I wanted to restore all my apps and stuff from my old phone and it did an outstanding job. Nearly everyt

Re:

[afidel]

That's only true for Nexus devices, for devices with locked bootloaders and stock ROMs without root and no first party root ROM then you need to exploit a bug to gain root and then either gain permanent root or install a slotted second level bootloader that can bootstrap a rooted ROM image.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[afidel]

Uh, good for you? I use MMS on a weekly basis, either for picture messages with the wife or for messages greater than 160 characters.

Re:

[gstoddart]

You understand this is a fix for the Nexus devices, right? Those are the Google branded ones without OEM crap on them.

So, no.

The OEMs have likely introduced their own security holes they'll have to deal with.

Re:

[afidel]

No, this is a fix to AOSP which is the base tree for the OEM's, the OEM's might have additional bugs but they'll also need to apply these fixes to their own code tree, test, and push out the fixes (or not as is their want, though the big OEM's are now at least paying lip service to monthly security patches but it seems to really only be for flagship and flagship-1 and some midrange hero devices while a lot of their product range sits unpatched)

Re:

[lokedhs]

You might want to read the entire article summary (no need to even RTFA). Here, I'll help you by even highlighting the relevant part:

Google released over-the-air firmware updates for its Nexus devices Monday and will publish the patches to the Android Open Source Project (AOSP) repository by Wednesday

Re:

[afidel]

Wow you're a horses ass, the second part is the important part for 99.999+% of Android users, they're releasing it to AOSP so that flows into all the other providers source tree.

Re:

[guacamole]

Your comment reminds me the old Soviet joke about a director of a kolkhoz, who during an important meeting announced: "I have two news for you, one good and the other bad. The bad news is that we lost all crops and we will have to eat shit all of the next year. The good news is that we have plenty of shit!"

Still lots of binary blobs

[tepples]

Android is open sores.

First-stage bootloaders often are not. Nor are device drivers on most phones. And that's even without considering Google Play Store/Services.

Ask Slashdot :

[invictusvoyd]

A friend of mine uses an android phone offline. He never connects to the internet and never receives any MMS . He only uses inbuilt apps and text and calling . What is the kind of risk he is exposed to ?

P.S. he is not interested in android updates and is only using an android phone because Nokia went bust.

Re:

[invictusvoyd]

Please note he *does* use SMS

Re:

[110010001000]

A lot. Since he is using text messaging, he can receive a MMS. This MMS can do anything to your phone because of the bugs. You don't even need to open the MMS. You cant prevent getting a MMS if you have text messaging enabled. Also, Google logs everything you do on your phone, so that is a risk as well. Personally I would avoid smart phones entirely if you are worried about security or privacy. Since he never connects to the Internet and never does MMS a simple flip phone will do for him.

Re:

[minus9]

You can disable the auto retrieval of MMS though.

Re:

[idontgno]

I don't think you were reading who you were responding to, or read but discounted it.

PP (Parent Poster) indicates that the hypothetical user isn't connecting to the internet. MMS requires internet connectivity to deliver its "more advanced than SMS" payload. From Wikipedia: [wikipedia.org]

Technical description

MMS messages are delivered in a totally different way from SMS. The first step is for the sending device to encode the multimedia content in a fashion similar to sending a MIME message (MIME content formats are d

Re:

[thegarbz]

You may consider that in the hypothetical case but not on the realistically configurable case.

Voice only no data plans exist and will still allow MMS retrieval.
Disabling of data on the phone is possible but will still allow MMS retrieval.

MMS are treated differently by the carriers so they are treated differently on the phone as well. There's no reason to assume that no internet means no MMS.

Re:

[110010001000]

They don't. But that guy isn't using CM. Even with CM the carrier is watching you.

Re:

[LichtSpektren]

Please don't give security advice when you don't know what you're talking about. MMS is only a vulnerability insofar that it can embed a dangerous file, but so long as one turns off auto-retrieving MMS files, you're in no danger from it. "Google logs everything you do" is not a security risk, it's a privacy risk, but AFAIK all of the telemetry and cloud services can be turned off if you're willing to tinker with the right settings (unlike Windows 10, which lies to you and tells you the telemetry is off when

Re:

[110010001000]

The default setting is on for MMS apps including the built in Google ones. "but so long as one turns off auto-retrieving MMS files, you're in no danger from it" The vast majority of people aren't going to do this. He is in danger even if he doesn't think he is receiving MMS, because they receive MMS automatically by default. And yes, Google tracks you server side. You cannot turn off the tracking. You are naiive if you think you can.

Re:

[JackieBrown]

The default setting is on for MMS apps including the built in Google ones.

"but so long as one turns off auto-retrieving MMS files, you're in no danger from it"

The vast majority of people aren't going to do this.

The vast majority of people would not want to do this.

Re:

[LichtSpektren]

The default setting is on for MMS apps including the built in Google ones. "but so long as one turns off auto-retrieving MMS files, you're in no danger from it" The vast majority of people aren't going to do this. He is in danger even if he doesn't think he is receiving MMS, because they receive MMS automatically by default. And yes, Google tracks you server side. You cannot turn off the tracking. You are naiive if you think you can.

Um, okay? Nobody says security is idiot proof. There's plenty of ways to get iOS fucked as well, if you're talking about unwise decisions that the vast majority of people will do. My only point was that Android is not insurmountably insecure.

Fix bootlocked Kitkat?

[emil]

I'd like to fix my mediaserver and stagefright. I'd run Cyanogenmod, but Verzion prevents me from using an unsigned kernel.

If I follow these instructions for my Samsung phone [cyanogenmod.org], can I pull the mediaserver and stagefright libraries out of the resulting .zip and load them in place of the existing binaries, can I have a running system that closes the exploits? I can likely use the nm utility on the resulting .so and check that all the symbols in the old libraries exist in the new.

The build process appears to pul

Re:

[clonehappy]

I hate to be this guy, but why do you run a device that won't let you install your own software? I don't mean to say you shouldn't use Android, but my Verizon LG G3 at least allows me to root it and install a custom recovery so I can run Cyanogenmod or whatever other custom builds I'd like.

This is why I would never buy a Samsung phone, way too locked down for what I want to do with it. I have an iPhone and an iPad for all of my walled garden needs, I refuse to accept the same from Android. If the day eve

Re:

[emil]

I do agree, it was a mistake. I bought the phone because Cyanogenmod's website said that it was compatible, and I didn't thoroughly research it. I'm now running Alliance, and pondering a hardware service that can unlock the bootloader for $80.

I need Verizon because we have repeaters for it at work. I hate those people, and I'm on an mvno.

So, for me to get this patch

[fustakrakich]

I have toss my perfectly good Galaxy Nexus into the bin, and buy a new phone? How sweet! The upgrade treadmill is fully operational..

Re:

[LichtSpektren]

I have toss my perfectly good Galaxy Nexus into the bin, and buy a new phone? How sweet! The upgrade treadmill is fully operational..

I'm not happy that Google doesn't update the Galaxy Nexus anymore, but you still have CyanogenMod if you want to keep getting security updates for your phone: http://download.cyanogenmod.co... [cyanogenmod.com]

Re:

[BronsCon]

Or, install Chroma (6.0.1 on an over 4 year old phone FTW) or CM (not sure what Android version the current release the the Galaxy Nexus is based on) and get on with your life. Chroma even includes a few additional features like split-screen windowing.

Whew!

[ThatsNotPudding]

Just in time! I got the Lolipop update with the Stagefright fix on my Verizon Moto G two months ago.

Since then I was starting to get the DTs from not having any Android vulnerabilities. Thanks all around!

Re:

[Rob MacDonald]

Learn to count.... This one, then: Posted by samzenpus on Tuesday January 05, 2016 @08:12AM from the new-weapon dept Posted by samzenpus on Monday January 04, 2016 @02:41PM from the like-a-sieve dept. So that's 1 a day, and I stopped looking after hitting "older" 4 or 5 times and not finding a single one. So you are complaining about 3 articles from the same source in 3 days? Have you seen the amount of DICE crap on here? Jesus.

Re:

[wonkey_monkey]

If I want to read CSO articles I'll just visit it.

You could say that about any Slashdot summary. So why come here at all?

Re:mmm

[Teun]

The article is about Nexus devices, they are supported for many years.

Re:

[sanf780]

Do not tell that to Nexus S owners. Still, it is good that at least Google keeps promising long term support.

Re:

[Anonymous Coward]

Do not tell that to Nexus S owners. Still, it is good that at least Google keeps promising long term support.

Google doesn't "keep promising" long-term support. Google has a specific support policy for Nexus devices: Security patches are provided for three years from the date the device goes on sale in the Play Store, or 18 months from the date the last device is sold from the Play Store, whichever is longer. Major upgrades are provided for two years from the date the device goes on sale.

Some may wish those support durations were longer, but AFAIK, Google is the only seller of mobile devices that offers any firm (a

Re:

[Anonymous Coward]

'many years' meaning ~2 years. There's no updates for Nexus 7 2012 or Nexus 4 devices.

Re: mmm

[kb7oeb]

Nexus 7 2012 and Nexus 4 are not getting security patches, look at the official image build versions, they are not current for lollipop.

Re:

[sociocapitalist]

The article is about Nexus devices, they are supported for many years.

Well that's the point isn't it. The updates are available for Nexus devices but the vulnerabilities are in Android...of which the vast majority are not Nexus devices and do not have, and never will have, security updates for these vulns.

Re:

[BronsCon]

And here's another point: Google made their support promise for Nexus devices legally binding, while other manufacturers, including Apple have not. If you want guaranteed support for some predetermined period, you get a Nexus device, period. If you really don't care about getting updates or security (in which case, shut the hell up already), then you buy something else.

While Apple has generally been good about long term device support, there is nothing indicating that they will continue to be. As my wife

Re:

[sociocapitalist]

And here's another point: Google made their support promise for Nexus devices legally binding, while other manufacturers, including Apple have not. If you want guaranteed support for some predetermined period, you get a Nexus device, period. If you really don't care about getting updates or security (in which case, shut the hell up already), then you buy something else.

While Apple has generally been good about long term device support, there is nothing indicating that they will continue to be. As my wife is an iPhone user and her and I are both iPad users, I certainly hope the keep it up, but I'll be neither surprised not disappointed if they do not; I knew what I was buying when I bought it.

Sure, and I knew what I was buying when I got my Android based Marshall music player (which also happens to be a normal Android phone but I chose it for the sound quality so I'm calling it a music player ;-) ), and I accept the fact that it's insecure - which does not mean that I like the fact that it's insecure.

As such, until and unless the Android model changes I'll continue to complain about it as publicly as possible in the hope that enough people will complain to Google that something gets done about i

Re: mmm

[BronsCon]

And Google can do approximately...nothing about it. Google isn't the one realeasing, then not updating, devices.

Re:

[sociocapitalist]

And Google can do approximately...nothing about it. Google isn't the one realeasing, then not updating, devices.

Sorry but no.

Google owns the OS, the architecture for the OS and the model of distribution for that OS.

If Google were to abstract the hardware layer from the rest of said OS, allowing hardware vendors to provide only drivers and forcing telephone service providers to not block the distribution of Android then there would be no problem.

The model is broken.

Re:

[BronsCon]

Uhm... It's Linux, the hardware layer is abstracted, it does use drivers, and hardware manufacturers need only provide drivers. Also, whether the hardware layer is abstracted from the OS or not has nothing to do with whether or not providers can block distribution of firmware; the manufacturers work out their own contracts under which the carrier sells their devices and the carrier often demands this. Google has no say in a carrier's negotiations with a device manufacturer. My pipe is empty, can you please

Re:

[sociocapitalist]

"My pipe is empty, can you please share some of whatever it is that you're smoking? Seems like some good stuff and I could use a good day trip."

Why do people on this site have to be dicks?

Re: mmm

[BronsCon]

If, by that, yku mean why do theh have to spout off about thungs they don't understand, that's a question for you to answer. I've grown tired of trying to educate people and getting shit on for it, so this has become my approach: the pre-emptive attack. Blame your fellow slashdotters for making me this way, because it's a relatively recent development.

Re:

[sociocapitalist]

If, by that, yku mean why do theh have to spout off about thungs they don't understand, that's a question for you to answer. I've grown tired of trying to educate people and getting shit on for it, so this has become my approach: the pre-emptive attack. Blame your fellow slashdotters for making me this way, because it's a relatively recent development.

Take responsibility for your own actions.

Have a wonderful day :-D

Re: mmm

[BronsCon]

Likewise. You know, for spouting off about shit you don't understand.

Re:

[Anubis IV]

The article is about Nexus devices

Which is all well and good, but that doesn't change the fact that the vulnerability is a part of Android, hence why Google is also having to push the fixes out to AOSP. As such, while the OP may be trolling a bit, their concern remains a valid one: how many of the handset manufacturers that have utilized a vulnerable version of AOSP will push these fixes out to their handsets?

Mod up

[bogie]

Or don't. If you don't know that 85% of Android devices won't ever get proper security/platform updates due to Phone/Tablet OEMs being completely clueless regarding security then go back to sleep. Phone companies just want to concentrate on billing you as much as possible per GB and Tablet OEMs? Don't get me started on the glut of crappy Android tablets that have been rushed out the door over the years.

A total disservice to a solid OS.

Re:

[iampiti]

Yeah, I love Android but the update policy is atrocious. I'm not for Google gaining an Apple-like control of the OS - I think the enhancements by the OEMs are sometimes valuable - but security updates should definitely be managed in a better way