Google Fixes Zero-Day Kernel Flaw, Says Effect on Android Not Really That Bad

itwbennett writes: Google has developed a patch for Android in response to a flaw in the Linux kernel and has shared it with device manufacturers. That doesn't mean the patch will hit users' phones right away, though. It might take weeks. But that's ok, says Google, because most Android devices are unlikely to run vulnerable kernel versions, and those that do are protected by SELinux.

Ridiculous

[Anonymous Coward]

If there's a security fix for iOS, I can download and install it right away. There's no reason that shouldn't be the case for Android. This is ridiculous. And what if the manufacturers have disabled SELinux or set it to be permissive? It's a matter of time before a worm like Blaster hits Android and does some serious damage. Fix your damn security model!

Re:Ridiculous

[phantomfive]

If there's a security fix for iOS, I can download and install it right away. .... Fix your damn security model!

Some people would say that security doesn't depend on fast updates: security depends on not having security vulnerabilities in your software to begin with.

Re:

[SirSlud]

You're right. Some people would say that security depends on being perfect. Those people however are living in a dream world where trying to prevent mistakes and fixing mistakes are somehow physically mutually exclusive.

Re:

[phantomfive]

You're right.

I have to say we are in total agreement.

Some people would say that security depends on being perfect.

Whether perfection is possible or not: that is a philosophical question.
More practically, we can easily do better in security than we are doing now by an order of magnitude.

Re:

[Merk42]

Please write something more complicated than "Hello World" that has no vulnerabilities. Also it must be invulnerable to unknown future attack vectors.

Re:

[phantomfive]

This topic has been brought up before. DJB showed with qmail that a substantial program can be written with no serious vulnerabilities.
OpenBSD shows we can do better on security by an order of magnitude (and if you listen to the techniques they use, it's not super-hard).

There's no excuse for the garbage, vulnerable software we are subjected to.

Re:

[Merk42]

Both OpenBSD and qmail have had vulnerabilities, so I guess they're garbage too.

Re:

[phantomfive]

Android had more vulnerabilities in the last month than OpenBSD has had in the last decade. If you can't see a difference here, you need to have your brain adjusted. There is some sloppy programming going on in Android that doesn't need to be.

Re:

[Merk42]

Security through obscurity!
Seriously though, I'm not the one that said "security depends on not having security vulnerabilities in your software to begin with."

Re:

[phantomfive]

Seriously though, I'm not the one that said "security depends on not having security vulnerabilities in your software to begin with."

Yeah, it's true. A fully patched Android system is still vulnerable. Any attacker who wants to put in the effort can find a vulnerability.

Re:

[cfalcon]

Well, given that we're discussing a case where Android has a vulnerability, then the speed of the update is pretty relevant.

Re:

[MachineShedFred]

Yeah, because in the history of software development, there are exactly zero products that have shipped, and are 100% free of bugs and flaws. So don't worry about how fast you can patch it.

Re:

[phantomfive]

True, the patching system can be improved.

Re:

[kmoser]

Some people would say that security doesn't depend on fast updates: security depends on not having security vulnerabilities in your software to begin with.

Security doesn't depend on not having security vulnerabilities in your software to begin with; security depends on preventing people from discovering and exploiting your existing security vulnerabilities.

Re:

[phantomfive]

security depends on preventing people from discovering and exploiting your existing security vulnerabilities.

That's a bandaid that definitely works sometimes.

Re:

[Harlequin80]

Out of interest can you point to any in the wild infections for Android?

Re:

[Flavianoep]

Should they wait for one and then act?

Re:

[BronsCon]

You mean this [welivesecurity.com]?

These types of worms also rely on social engineering to convince the user to click on the link and run the malware.

So, not a worm, but a trojan, which [securityintelligence.com] iOS [pcworld.com] also [paloaltonetworks.com] has [checkpoint.com].

Re:

[Anonymous Coward]

Nobody can deny the the Android update situation is a complete mess. But Apple aren't exactly security darlings here. Sure, you get the updates immediately... when Apple gets around to it. You still have to live with years-old known vulnerabilities, and major issues being held back for more product-cycle friendly release timescales.

if OEM disabled security. Tautology

[raymorris]

> what if the manufacturers have disabled SELinux

Yes, if an OEM disabled the security model, that would be a security problem. Tautology much? That hasn't happened on any relevant device.

Oh I know, if the manufacturer installed a botnet malware and gave access to spammers, that would be a problem too! Oh my, a manufacturer could mess up the device the manufacturer!

Re:

[ArmoredDragon]

That hasn't happened on any relevant device.

I really doubt it ever would because of the whole SEAndroid architecture built on top of it. An OEM would seriously have to go out of their way to not have it working.

The problem with a root kit is that it's a root ki

[raymorris]

Lenovo's root kit wasn't bad because of some obscure bug in Windows. Lenovo's root kit was bad because it was a root kit.

Once you assume that the manufacturer is going to purposely ruin the security the security of the device, unrelated bugs don't have much effect on that.

In other words, if the manufacturer puts a tautology on your device, your device will have a tautology on it.

Re:

[BronsCon]

Right? And here's the thing: Apple fans (I'm a user, but not a fan, it's a tool and it does a job, it's not deserving of fandom) will insist that issues that affect rooted or non-Nexus Android devices are worse than issues that affect jailbroken iOS devices, but they're really one-in-the-same. The reality is that rooting an Android device is a departure from the vanilla Android binaries and configuration provided by Google, as is a manufacturer replacing Android binaries and configurations with their own or

Re:Ridiculous

[Shawn Willden]

what if the manufacturers have disabled SELinux or set it to be permissive?

Then those manufacturers' devices cannot pass the Android Compliance Test Suite, and they have no right to call their devices Android and cannot use Google's apps. SELinux, in enforcing mode and with the Google-defined configuration (mostly; OEMs can make tweaks in some areas, but not the ones relevant to this vulnerability) has been a formal Android compliance requirement since Lollipop.

It's a matter of time before a worm like Blaster hits Android and does some serious damage.

I doubt it. Android is vastly more secure than Windows was (or even is... and Windows is much better than it was when Blaster hit). The lack of updates delivered by OEMs has caused the Android security team to focus on defense in depth, and the system is working pretty well (see last year's report [googleusercontent.com] -- or wait a bit for the new report which should be out in a few weeks). In particular, less than 0.1% of Android devices that use the Play store have any potentially harmful apps (PHA) installed, and that PHA definition is much broader than just traditional malware. Of the PHA apps, only about 5% try to exploit vulnerabilities; the rest focus on social-engineering the users.

So, 0.005% of Android devices have some exploit-using malware on them. And AFAIK there are no Android worms. So, I really, really doubt Android is ripe for a Blaster.

Fix your damn security model!

The Android security model is actually very good... with one glaring exception, which is the update problem. But Google has committed to a monthly patch cycle for Nexus devices, and several other OEMs have hopped on that patch train. Thanks to that, carriers are being forced to get updated software through QA faster, and the focus on monthly updates is pushing OEMs to simplify their offerings to make updating them more practical (you probably won't see a visible reduction in number of offerings; but in the future I expect each model will have a handful of SKUs, at most, rather than hundreds as is often the case today).

The update problem isn't going to get fixed overnight, but I think it is getting fixed, at least from top manufacturers. The next step is for consumers to insist on well-defined and sufficiently-lengthy support and update policies as a condition of purchase, to force all of the rest to get with the program.

In the short term, if you want the most secure and up-to-date Android device, buy Nexus, but I expect soon others will be challenging Google for that spot.

(Full disclosure: I'm a Google engineer, on the Android security team.)

Re: Ridiculous

[io333]

Google could require that manufactures subscribe to some sort of security update model as a requirement before using android software. By not doing this, Google is opening itself up to tremendous liability should something bad ever happen. You may not think so, but some jury someday may think differently. I know of what I speak, though I would prefer not to give full disclosure.

Re:

[arglebargle_xiv]

However, I have a big problem with some of the other software that resides on my phone, including apps and software that I don't want and especially a program called DT Ignite.

There's an app for that [google.com]. Also, the carriers claim the bloatware downloads are zero-rated, although that's been a bit hard to verify.

Re:

[BronsCon]

although that's been a bit hard to verify

and probably in violation of net-neutrality regulations.

Re:

[Shawn Willden]

Also, I do prefer the iOS permissions model, in which users are specifically asked to enable permissions for particular apps as needed.

Android moved to that model in Android Marshmallow.

Re:

[thejynxed]

No they won't, because too many of them insist having everything their way once you guys sign off on their use of Android. This leads to everything from locked bootloaders, out of date kernels, no OS patches at all, etc. This isn't getting better, it has been steadily getting worse, with the number of devices updated by OEMs and carriers to Lollipop and Marshmallow being lower than any previous versions of Android. Many places are still selling flagship models with Lollipop that don't even have Marshmallow

Re:

[BronsCon]

with the number of devices updated by OEMs and carriers to Lollipop and Marshmallow being lower than any previous versions of Android

specifically because, starting with Lollipop, carrier apps are installed on first boot (based on the inserted SIM, so no carrier apps if no SIM is installed) and can be removed by the user once installed. They're no longer part of the firmware, thus no longer require carrier customization. which removes the carrier's ability to require their approval before updates are pushed by the OEMs. While this makes it easier for OEMs to push updates, they can only do so where standalone versions of the carrier apps a

Re:

[ChunderDownunder]

In the short term, if you want the most secure and up-to-date Android device, buy Nexus, but I expect soon others will be challenging Google for that spot.

Except when Google discontinues your device support. :(

Please encourage your superiors to release official Marshmallow images and updates for the Google Nexus 4.

Re:

[Shawn Willden]

In the short term, if you want the most secure and up-to-date Android device, buy Nexus, but I expect soon others will be challenging Google for that spot.

Except when Google discontinues your device support. :(

Please encourage your superiors to release official Marshmallow images and updates for the Google Nexus 4.

Two years of updates and three years of security patches is better than anyone else is offering. Apple sometimes does a bit better than that, but they don't make any promises.

Re:

[BronsCon]

They support their phones for at least as long as Apple. In fact, they've made a legally binding commitment [google.com] to supporting devices for at least a certain period of time: major version updates for at least 2 years from date of first sale; security updates for at least 3 years from date of first sale or 18 months from date of removal from the Google Play Store, whichever is longer.

Meanwhile, Apple and Microsoft have done no such thing. I'm not sure of Microsoft's track record regarding device support, but I

Re: Ridiculous

[cyber-vandal]

How are consumers going to demand that when all the OEMs are varying levels of useless. Google has the power to pressure them to be better but doesn't seem to want to use it.

Re:

[Shawn Willden]

How are consumers going to demand that when all the OEMs are varying levels of useless. Google has the power to pressure them to be better but doesn't seem to want to use it.

Google has a lot less power than you think. We have to tread carefully to keep the ecosystem unified and moving forward together. If Google is too heavy-handed, some of the bigger OEMs are totally capable of taking AOSP and going their own way.

Re: Ridiculous

[cyber-vandal]

Samsung, HTC and various carriers have already done that to a degree and that's part of why updates aren't provided in a timely manner. The Android ecosystem is a mess leaving consumers vulnerable and Google is the only org that can pull it together again. I don't envy you having to do that but the current status quo is not good enough.

Re:

[thegarbz]

Thanks to that, carriers are being forced to get updated software through QA faster

Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?

Re:

[Letophoro]

Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?

You would think so. Unfortunately, the way it is unless you have a Nexus phone is that first the manufacturer has to vet the patch, then the carrier has to vet it. In part because both pile useless software onto the handset that might rely on whatever is being patched. Even more unfortunately, neither of them have any vested interest in actually applying the patch because they would rather sell a new handset and get you into another contract instead.

While I am not an Apple fan, I think their model of removi

Re:

[Shawn Willden]

Unfortunately, the way it is unless you have a Nexus phone is that first the manufacturer has to vet the patch, then the carrier has to vet it.

Same on Nexus, actually, though Google has managed to streamline the process a bit. The manufacturer vetting step is mostly cut out. Mostly.

While I am not an Apple fan, I think their model of removing other actors from the security equation is beneficial.

It's worth noting that Apple also has to go through the carrier vetting step.

The biggest difference between Apple/Nexus and other OEMs, IMO, is variety. Samsung, for example, has thousands of different system images to update, and each one has to be validated by the carriers. Nexus and Apple keep it down to a handful. The OEMs have done this to themselves, obviously,

Re:

[Shawn Willden]

Thanks to that, carriers are being forced to get updated software through QA faster

Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?

Hell if I know. It makes no sense to me, either.

Re:

[tlhIngan]

Thanks to that, carriers are being forced to get updated software through QA faster

Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?

No, because some carriers get anal and demand things work in certain ways.

It's a lot better now, but in the past, things like the color of the send button must be a certain shade of green, for example.

Re:

[thegarbz]

It's a lot better now, but in the past, things like the color of the send button must be a certain shade of green, for example.

That's not relevant. A lot of those features especially the candy is controlled by individual apps. There's no reason a whole kernel upgrade should have any visible impact on the user or any of the applications at all. My point was why isn't the system modular enough that these customisations aren't a problem. It's not like I have to rebuilt my linux server every time a new package or security fix is released.

Re:

[phantomfive]

Because carriers make their own, modified distribution of Android. Which of course, git is set up to handle, but sometimes the carriers make a mess of things.

It's not entirely the carrier's fault, because sometimes Google makes some pretty big changes in the core OS. So, for example, imagine if the carrier had to change the screenshot utility to work with their hardware (surprisingly common). Then in a later version of Android, google changed the internal screenshot system. In order to update to the lates

Re:

[thegarbz]

I'm talking about minor updates and fixes here not API changing modifications. One should be able to apply a kernel patch without wondering if the entire system is going to melt into a puddle as a result.

Re:

[phantomfive]

One should be able to apply a kernel patch without wondering if the entire system is going to melt into a puddle as a result.

That's true, especially since the kernel team is really good about maintaining backwards compatibility.

Re:

[Errol backfiring]

The next step is for consumers to insist on well-defined and sufficiently-lengthy support and update policies as a condition of purchase

That would be nice if a user had anything to say about the stuff he would buy. You can demand every reasonable thing in the world, but "then don't buy it" is the only answer you will ever get.

Not buying a phone might give you a good feeling for living up to your principles, but it will not result in a phone with reasonable support.

Re:

[phantomfive]

The Android security model is actually very good....but Google has committed to a monthly patch cycle for Nexus devices,

If you have to release security patches every month, then your security model is definitely NOT good. You have serious problems with your code.

Re:

[Shawn Willden]

The Android security model is actually very good....but Google has committed to a monthly patch cycle for Nexus devices,

If you have to release security patches every month, then your security model is definitely NOT good. You have serious problems with your code.

Utter nonsense.

There is no way that any system as large and complex as a modern personal computing operating system is going to be completely bug-free. If you believe otherwise, you're either clueless or living in a fantasy world.

Re:

[phantomfive]

Utter nonsense.

You're wrong. Even if you were correct in your assumption that large systems can't be secure, then you would still be wrong in saying that such security is good. Bad security is bad security, even if you think it's the best possible. Software with many vulnerabilities is not secure.

If you believe otherwise, you're either clueless or living in a fantasy world.

I like the fact based, well-reasoned argument you have there. It's so convincing.

Re:

[Shawn Willden]

You've clearly never tried to build large-scale secure software systems. There's no point in discussing this with you.

Re:

[Shawn Willden]

Oh, something for you to consider: http://www.openbsd.org/errata5... [openbsd.org]

OpenBSD is much smaller and simpler than any mainstream OS, and has had a laser focus on security for years. Security is their number one goal, above usability, features or anything else... and yet they need more-than-monthly updates to fix security defects. That should give you an indication of just how hard a problem this is.

Re:

[phantomfive]

That's the most insightful comment you've made so far, and it actually has data in it. So good job.

Re:

[kbg]

Yes here is the list of manufacturers that offer timely updates:
  * None

Re:

[Shawn Willden]

Yes here is the list of manufacturers that offer timely updates: * None

Not true. Nexus devices get monthly updates. So do some Samsung devices. I know there are some other manufacturers. It seems like the list the AC is asking for is something Google could potentially provide.

Re:

[BronsCon]

Wrong.
* Google (Nexus devices)

Re:

[kbg]

Tell that to Google Nexus 4 owners.

Re: Ridiculous

[BronsCon]

You mean the Nexus 4 that has the most recent updates [google.com] available? I think you meant Galaxy Nexus, and that phon was supported for over 4 years, except on Verizon, who blocked the last update.

Re:

[kbg]

This page only lists that the Nexus 4 has 5.1.1 not 6.0, so no it doesn't have the latest updates.

Re:

[BronsCon]

Derp, posting before fully awake... forgot 6.0 was out. That said, Google guarantees major version updates for 2 years from first sale and security updates for the longer of 3 years from first sale or 18 months from discontinuation. Lollipop was released more than 2 years after the Nexus 4 went on sale (November 13, 2012) and more than 18 months have passed since the Nexus 4 was discontinued (and no longer available from the Google Store) on November 1, 2013. They've lived up to what they promised; in fact,

Re:

[kbg]

That is one of the problems with Android your phone can only be used for 2 years until it is completely outdated and can't be updated any more. Now that wouldn't be a problem if Google wasn't constantly changing Android and coming up with newer and newer versions making it impossible to install new/updated apps from app store. The problem is that Google doesn't care about backward compatability and is constantly deprecating and messing up things for no reason. I understand if the newer phone has some new ha

Re:

[BronsCon]

You do realize that nothing you just said is true, right? Your example phone, the Nexus 4, was still getting updates after more than 3 years and. In fact, 6.0.1 was released in the first week of December 2016, while 5.1.1 was released in the first week of January 2016. Ignore version numbers for a moment and realize that means that the Nexus 4 has been updated more recently than the Nexus 5, Nexus 6, Nexus 5X, and Nexus 6P, all of which came out long after the Nexus 4. And anything that works on 5.x works o

Re:

[kbg]

You talk about Apple but Apple is not an excuse because they are bad themselves, yes Apple also sucks.

Do you really think a normal user will be able to unlock or install Marshmallow on his phone with these unnecessary complex instructions? I have rooted and installed a few Android mods myself and I can tell you that it is very easy to make a small mistake or that the third party instructions are not clear enough so you end up with a bricked phone. I am not talking about myself, you or other technical people

Re:

[BronsCon]

You talk about Apple but Apple is not an excuse because they are bad themselves, yes Apple also sucks.

I talk about Apple not to excuse Google, but because everyone always brings up Apple as an example of "doing it right". If that is incorrect (as I've shown) then, perhaps, people should stop doing it. If you weren't slyly hinting at Apple, and I know you weren't pointing to Microsoft of Blackberry, just who is the shining beacon of "doing it right"? And if nobody, who is doing it best? I'd venture that Google isn't doing too horribly if your requirement is the ability to buy a device from any number of supp

Re:

[kbg]

So, you're saying you wouldn't help your sister, mom, or grandma with this? I know I would, as wold most technical people who wish to encourage their friends and family to be more secure.

I will help them as much as I can but I refuse to be a technical support for Google just because they are incompetient and don't care.

You mean it's something Google cold easily do if they would just stop write-locking /system/ during the boot process to prevent malware from completely pwning Android devices. You must not realize that this is a security measure, and a very strong one at that; it's literally as simple as it could possibly be without opening the door to all kinds of nasty malware we currently don't have to deal with. The only thing that might make it easier is a GUI, but that would also make it easier for people to install malicious ROMs without really thinking about it; having to type it out makes you think about what you're about to do before you press enter.

No Google controls the system. They already have a lot of system apps that can whatever they want. This is just a simple implentation of crypto signing the app. If the app is signed by a specific key by Google then they can give the app access to stuff like this. You talk about like this is something impossible to do? If you control the system like Google does you can have it

Re: Ridiculous

[BronsCon]

Keys can be forged or stolen, we've seen it happen. I'll keep my hardware write lock, thanks, and you can have your insecure softlocked toy.

Re:

[Shawn Willden]

HELL - LOOK @ ALL THE VULNERABILITIES & PROBLEMS ANDROID HAS HAD SINCE IT'S VERY PUBLIC RELEASE & INCEPTION!

Yep. And look at the utter lack of Blaster-style mass infection.

Re:

[Shawn Willden]

There's an interesting ongoing case in the Netherlands in that regard: A Dutch consumer organisation is suing Samsung for neither providing updates nor making it clear for how long a new phone will be kept updated. (I'm personally imagining best-before dates on the packaging, like on food).

Cool. We do need companies to tell you before you buy what you're going to get, and then back it up. Glad to see that's happening.

However, Samsung actually has committed to a regular update cycle on their new flagship devices, after Google did it for Nexus. So they're getting it. I don't know if it's a result of this suit or what, but whatever it takes to make this happen, I'm for it.

Re: Ridiculous

[cyber-vandal]

You are a pathetic fanboi with no grasp on reality at all.

It's not the fault of the users that Google has failed to set up an ecosystem where they're protected from security flaws.

It's not the fault of the users that carriers and OEMs don't give a shit about their customers.

It's not the fault of the users that they can't buy Nexus devices in their country.

If Microsoft tried this bullshit they'd be torn a new one on here but because it's Linux under the hood it must be defended to the death.

Re:

[BronsCon]

It is the fault of the users that they bought into it, though. Grasp that reality and take responsibility for your own decisions, maybe then you'll realize that it's important to learn exactly what it is you're buying before you buy it. The information was clearly available, as many of us made use of it when deciding to buy Nexus devices over all else. Those of us who live in a country where Nexus devices aren't available can still learn which devices ship with unlocked bootloaders and load vanilla Android

Re: Ridiculous

[cyber-vandal]

Are you taking the piss? It's the fault of the user that they don't load some random firmware that doesn't support all the functions of their phone via Odin which isn't exactly user friendly. In a world like that how soon would it be before malware infested firmwares were everywhere. You fanboys are mental.

Just buy a Nexus is not the answer, the answer is for the OEMs, the carriers and Google to give a shit about their customers.

I'm not attacking the OS. I had a Nexus 6 (which wasn't cheap) and it was great

Re:

[BronsCon]

Odin works (for some definitions of "works") for Samsung, there are better tools for HTC, LG, and Motorola. Beyond that, dedicated community members tend to build full-function firmwares for popular devices and yes, it is the user's fault if they can't be assed to learn this stuff before purchasing a device, if security is a concern to them and other options are available.

Yes, the carriers and OEMs share in the blame, and Google gets their fair share as well for not requiring that the OEMs conform to some

Re:

[jrumney]

If there's a security fix for iOS you don't even hear about it until Apple is ready to ship on all devices they are still supporting.

Re:

[Merk42]

If there's a security fix for iOS you don't even hear about it until Apple is ready to ship on all devices they are still supporting.

no, but if there is a security vulnerability you do hear about it..

Re:

[jeremyp]

There is a reason why it shouldn't be the case for Android. The reason is that Google doesn't make the phones. This patch will have to be tested on each manufacturer's devices before it is made available. Google isn't going to do that, the manufacturers are. Well, you'd hope the manufacturers are.

This is the fundamental difference between the Android and iOS ecosystems, Android is fragmented, iOS is monolithic.

Re:

[BronsCon]

Or, as a user, educate yourself and buy a Nexus device which, much as the iPhone gets its updates directly from Apple, gets its updates directly from Google. I've noticed that Google is generally quicker to update my Nexus 6 than Apple is to update my iPad Air when a flaw is publicly disclosed; I would assume the same when the flaw is not publicly disclosed but there is not frame of reference for this.

Re:

[BronsCon]

those are typically lagging behind in hardware

I wouldn't say the Nexus 6 is lagging behind in hardware, even comparing to the generation of devices released after it. Actually, for the first time I've owned a phone for over a year and still see nothing compelling on the market. Just saying.

Sure, a fingerprint reader would be nice, but that's something I'd use for a grand total of a couple seconds per day, versus the display I'd be giving up, which gets used much, much more. The Nexus 6P is comparable, but trading wireless charging for a fingerprint r

Re:

[Anonymous Coward]

Google updates Android, folds in fixes submitted through AOSP and pushes them out to Google devices. That is where their responsibility ends. Google cannot make any hardware manufacturer push those updates out.

The hardware maker is the one who is supposed to take Google's updates, negotiate terms with the carriers and push them out to their devices. The end user is also free to manually install updates themselves and many do, which is why so many unofficial firmwares are available through places like xda de

Re:

[MachineShedFred]

That's a fantastic excuse for a horrible model.

If Google actually wanted to get serious about this, they would contractually obligate their OEMs to send security-related updates in a timely fashion. Yet they don't, and *their* platform continues to have this god damn mess.

Throwing up your hands and saying "that is the OEM's problem" is a fantastic way to be selling devices that are actively exploitable, and ruin the reputation of your brand. Even Microsoft recognizes that.

Re:

[BronsCon]

That's a fantastic excuse for a horrible model.

And if you were at all familiar with the restrictions mobile operators place on device manufacturers, you'd understand that's it's a factual one, as well. Even Microsoft recognizes that [windows.com].

We work closely with our carrier partners, and encourage them to test our software as swiftly as possible. But it’s still their network, and the reality is that some carriers require more time than others. By the way, this carrier testing is a common industry practice that all of our competitors must also undergo. No exceptions.

That said, this only applies to devices which the carrier has customized in some way [howtogeek.com]. As far as Nexus devices go, that only includes the T-Mobile Nexus 6 and, even then, the customization was done by Google and T-Mobile allows them to push updates directly and without approval. Every other Android device sold, by literally a

The bug

[phantomfive]

In case anyone cares, the bug was improper deallocation. Sloppy programming.

That doesn't mean .....

[frovingslosh]

That doesn't mean the patch will hit users' phones ever, though.

There, I fixed it for you.

Weeks?

[cyber-vandal]

How about months or never. The upgrade situation on Android is a joke unless you buy from Google.

Re:

[nnull]

Samsung and Verizon devices will probably never get an upgrade. Took forever to get an update for my Note 12.

Re:

[thegarbz]

How about months or never. The upgrade situation on Android is a joke unless you buy from Google.

Yes but so are most attack vectors. When a problem gets discovered in Windows, IE, Flash, Acrobat etc it's sometimes a matter of hours / days before exploits are in the wild, sometimes the exploits are out before the the problem is discovered.

In the Android world I've yet to actually hear of a wide spread exploit self propagating between devices and turning them all into mass zombies. Typically we only hear about devices that were compromised via some dodgy app with questionable permissions, which is a far

Re: Weeks?

[cyber-vandal]

The problem with Android is that even when the flaw is fixed by Google it doesn't make it onto the majority of the phones out there. That's not good enough. Microsoft would never escape criticism for ignoring flaws but for some reason Android OEMs seem to get a free pass.

Re:

[BronsCon]

It's good enough for the Nexus device in my pocket. I don't own the majority of Android devices out there and neither would an educated consumer. Those OEMs aren't getting a free pass, I voted with my dollars and made them irrelevant, so it's not worth my time to jump on them.

Re:

[thegarbz]

The free pass is given due to the attack vector. I would give Microsoft a free pass too when their bugs have very little impact or are incredibly unlikely to be exploited.

Just like I gave Linux a free pass when the malware was discovered last week and we all couldn't help but joke at the fact that parts of it didn't work, and when they did work it didn't do so very widely.

Re:

[drinkypoo]

How about months or never. The upgrade situation on Android is a joke unless you buy from Google.

Not only is Motorola pretty good about updates, but I can get an AOSP build for pretty much any of their phones. I don't know if there are any other manufacturers as reputable, but I've been happy enough with Moto that my next phone will probably also come from them.