Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Android Google Security

Google Fixes Rooting Vulnerabilities In Android (csoonline.com) 126

itwbennett writes: Google released over-the-air firmware updates for its Nexus devices Monday and will publish the patches to the Android Open Source Project (AOSP) repository by Wednesday, fixing a new batch of vulnerabilities in Android that could allow hackers to take over devices remotely or through malicious applications. The new patches address six critical, two high and five moderate vulnerabilities. The most serious flaw is located in the mediaserver Android component, a core part of the operating system that handles media playback and corresponding file metadata parsing.
This discussion has been archived. No new comments can be posted.

Google Fixes Rooting Vulnerabilities In Android

Comments Filter:
  • That means end users will be able to use these to root their devices for the next 12-18 months since the patches won't be applied by most OEM's before then. On the downside it means you can be spearfished through an MMS.

    • i'd much rather see nice, solaris style RBAC built into android.

      • I am not even sure if your comment is on topic, but I recall that RBAC is basically Sun's answer to sudo. As usual, instead of adopting in a well known, well liked, and well understood open source program into Solaris 8, Sun came up with its own "RBAC", which only works on Solaris and barely anyone used it.

        • what i mean is that running android applications as root is currently necessary to achieve some goals (e.g. app backups) but stupid from a security point of view - all or nothing permissions. that's one of the reasons google isn't too keen on this.

          instead, i'd like a finer grained privilege escalation that's well integrated into the system instead of a dangerous hack. RBAC as implemented in solaris or aix is a beautiful way of doing such things (not so much in HP-UX). it is more advanced than sudo but not a

    • Turn off push MMS. Problem solved.
      • And Bluetooth, since there is a privilege escalation issue there too (CVE-2015-6641). In fact, just turn off everything, then you will be completely safe. Maybe. Just to be 100% sure, keep the phone off and pull the battery.
    • That means end users will be able to use these to root their devices for the next 12-18 months since the patches won't be applied by most OEM's before then. On the downside it means you can be spearfished through an MMS.

      Perhaps I'm misreading your post, but you seem very confused. Unlike jailbreaking iPhones, where one has to find some tiny privilege escalation vulnerability before Apple does and then abuse it to flash a custom ROM, Android is designed to allow rooting fairly easily. In fact, Google themselves provide a page that gives layman instructions to how to unlock the bootloader and flash the stock ROM for their Nexus devices (https://developers.google.com/android/nexus/images); that includes all the latest securit

      • by tepples ( 727027 )

        Unlocking the bootloader and flashing a ROM requires a backup, wipe, and restore. What's the easiest way for a user to be sure that a backup tool downloaded from Google Play Store actually saved everything in a way that it can restore?

        • Use Carbon (Titanium is superior if you're already rooted, but Carbon should do the trick). Try deleting an app and restoring it from backup as a test. Unfortunately there's no way to be 100% sure unless you test every single app you wanted to backup, but that's true of all backup systems unfortunately.
        • Unlocking the bootloader and flashing a ROM requires a backup, wipe, and restore. What's the easiest way for a user to be sure that a backup tool downloaded from Google Play Store actually saved everything in a way that it can restore?

          What apps do you use that need to be backed up? Games, I suppose... if you care about having your progress saved.

          Personally, I don't worry about backup/restore. When I reflash, or get a new device, I just start clean. Pretty much everything I'd care to back up and restore is synced to the cloud anyway, so it just shows up. Android Marshmallow made it particularly slick the most recent time. It asked if I wanted to restore all my apps and stuff from my old phone and it did an outstanding job. Nearly everyt

      • by afidel ( 530433 )

        That's only true for Nexus devices, for devices with locked bootloaders and stock ROMs without root and no first party root ROM then you need to exploit a bug to gain root and then either gain permanent root or install a slotted second level bootloader that can bootstrap a rooted ROM image.

    • by houghi ( 78078 )

      I have sending and receiving MMS turned of at my provider. As well as paid services, except helpdesk numbers that are fixed priced and have a restricted duration.

      So no drunk call to sex lines by 'accident'. No sending sms to paid services. No SMS.

      I can even turn on and off roaming for in and outcoming calls seperately.

      • by afidel ( 530433 )

        Uh, good for you? I use MMS on a weekly basis, either for picture messages with the wife or for messages greater than 160 characters.

    • You understand this is a fix for the Nexus devices, right? Those are the Google branded ones without OEM crap on them.

      So, no.

      The OEMs have likely introduced their own security holes they'll have to deal with.

      • by afidel ( 530433 )

        No, this is a fix to AOSP which is the base tree for the OEM's, the OEM's might have additional bugs but they'll also need to apply these fixes to their own code tree, test, and push out the fixes (or not as is their want, though the big OEM's are now at least paying lip service to monthly security patches but it seems to really only be for flagship and flagship-1 and some midrange hero devices while a lot of their product range sits unpatched)

        • by lokedhs ( 672255 )
          You might want to read the entire article summary (no need to even RTFA). Here, I'll help you by even highlighting the relevant part:

          Google released over-the-air firmware updates for its Nexus devices Monday and will publish the patches to the Android Open Source Project (AOSP) repository by Wednesday

          • by afidel ( 530433 )

            Wow you're a horses ass, the second part is the important part for 99.999+% of Android users, they're releasing it to AOSP so that flows into all the other providers source tree.

    • Your comment reminds me the old Soviet joke about a director of a kolkhoz, who during an important meeting announced: "I have two news for you, one good and the other bad. The bad news is that we lost all crops and we will have to eat shit all of the next year. The good news is that we have plenty of shit!"

  • by invictusvoyd ( 3546069 ) on Wednesday January 06, 2016 @10:26AM (#51248029)
    A friend of mine uses an android phone offline. He never connects to the internet and never receives any MMS . He only uses inbuilt apps and text and calling . What is the kind of risk he is exposed to ?

    P.S. he is not interested in android updates and is only using an android phone because Nokia went bust.
    • Please note he *does* use SMS
    • Re: (Score:3, Insightful)

      A lot. Since he is using text messaging, he can receive a MMS. This MMS can do anything to your phone because of the bugs. You don't even need to open the MMS. You cant prevent getting a MMS if you have text messaging enabled. Also, Google logs everything you do on your phone, so that is a risk as well. Personally I would avoid smart phones entirely if you are worried about security or privacy. Since he never connects to the Internet and never does MMS a simple flip phone will do for him.
      • by minus9 ( 106327 )
        You can disable the auto retrieval of MMS though.
      • Re: (Score:3, Informative)

        by idontgno ( 624372 )

        I don't think you were reading who you were responding to, or read but discounted it.

        PP (Parent Poster) indicates that the hypothetical user isn't connecting to the internet. MMS requires internet connectivity to deliver its "more advanced than SMS" payload. From Wikipedia: [wikipedia.org]

        Technical description

        MMS messages are delivered in a totally different way from SMS. The first step is for the sending device to encode the multimedia content in a fashion similar to sending a MIME message (MIME content formats are d

        • You may consider that in the hypothetical case but not on the realistically configurable case.

          Voice only no data plans exist and will still allow MMS retrieval.
          Disabling of data on the phone is possible but will still allow MMS retrieval.

          MMS are treated differently by the carriers so they are treated differently on the phone as well. There's no reason to assume that no internet means no MMS.

      • Please don't give security advice when you don't know what you're talking about. MMS is only a vulnerability insofar that it can embed a dangerous file, but so long as one turns off auto-retrieving MMS files, you're in no danger from it. "Google logs everything you do" is not a security risk, it's a privacy risk, but AFAIK all of the telemetry and cloud services can be turned off if you're willing to tinker with the right settings (unlike Windows 10, which lies to you and tells you the telemetry is off when
        • Re: (Score:1, Insightful)

          The default setting is on for MMS apps including the built in Google ones. "but so long as one turns off auto-retrieving MMS files, you're in no danger from it" The vast majority of people aren't going to do this. He is in danger even if he doesn't think he is receiving MMS, because they receive MMS automatically by default. And yes, Google tracks you server side. You cannot turn off the tracking. You are naiive if you think you can.
          • The default setting is on for MMS apps including the built in Google ones.

            "but so long as one turns off auto-retrieving MMS files, you're in no danger from it"

            The vast majority of people aren't going to do this.

            The vast majority of people would not want to do this.

          • The default setting is on for MMS apps including the built in Google ones. "but so long as one turns off auto-retrieving MMS files, you're in no danger from it" The vast majority of people aren't going to do this. He is in danger even if he doesn't think he is receiving MMS, because they receive MMS automatically by default. And yes, Google tracks you server side. You cannot turn off the tracking. You are naiive if you think you can.

            Um, okay? Nobody says security is idiot proof. There's plenty of ways to get iOS fucked as well, if you're talking about unwise decisions that the vast majority of people will do. My only point was that Android is not insurmountably insecure.

    • I'd like to fix my mediaserver and stagefright. I'd run Cyanogenmod, but Verzion prevents me from using an unsigned kernel.

      If I follow these instructions for my Samsung phone [cyanogenmod.org], can I pull the mediaserver and stagefright libraries out of the resulting .zip and load them in place of the existing binaries, can I have a running system that closes the exploits? I can likely use the nm utility on the resulting .so and check that all the symbols in the old libraries exist in the new.

      The build process appears to pul

      • I hate to be this guy, but why do you run a device that won't let you install your own software? I don't mean to say you shouldn't use Android, but my Verizon LG G3 at least allows me to root it and install a custom recovery so I can run Cyanogenmod or whatever other custom builds I'd like.

        This is why I would never buy a Samsung phone, way too locked down for what I want to do with it. I have an iPhone and an iPad for all of my walled garden needs, I refuse to accept the same from Android. If the day eve

        • by emil ( 695 )

          I do agree, it was a mistake. I bought the phone because Cyanogenmod's website said that it was compatible, and I didn't thoroughly research it. I'm now running Alliance, and pondering a hardware service that can unlock the bootloader for $80.

          I need Verizon because we have repeaters for it at work. I hate those people, and I'm on an mvno.

  • I have toss my perfectly good Galaxy Nexus into the bin, and buy a new phone? How sweet! The upgrade treadmill is fully operational..

    • I have toss my perfectly good Galaxy Nexus into the bin, and buy a new phone? How sweet! The upgrade treadmill is fully operational..

      I'm not happy that Google doesn't update the Galaxy Nexus anymore, but you still have CyanogenMod if you want to keep getting security updates for your phone: http://download.cyanogenmod.co... [cyanogenmod.com]

    • Or, install Chroma (6.0.1 on an over 4 year old phone FTW) or CM (not sure what Android version the current release the the Galaxy Nexus is based on) and get on with your life. Chroma even includes a few additional features like split-screen windowing.
  • Just in time! I got the Lolipop update with the Stagefright fix on my Verizon Moto G two months ago.

    Since then I was starting to get the DTs from not having any Android vulnerabilities. Thanks all around!

"It doesn't much signify whom one marries for one is sure to find out next morning it was someone else." -- Rogers

Working...