Google Fixes Zero-Day Kernel Flaw, Says Effect on Android Not Really That Bad (csoonline.com) 132
itwbennett writes: Google has developed a patch for Android in response to a flaw in the Linux kernel and has shared it with device manufacturers. That doesn't mean the patch will hit users' phones right away, though. It might take weeks. But that's ok, says Google, because most Android devices are unlikely to run vulnerable kernel versions, and those that do are protected by SELinux.
Ridiculous (Score:2, Insightful)
If there's a security fix for iOS, I can download and install it right away. There's no reason that shouldn't be the case for Android. This is ridiculous. And what if the manufacturers have disabled SELinux or set it to be permissive? It's a matter of time before a worm like Blaster hits Android and does some serious damage. Fix your damn security model!
Re:Ridiculous (Score:4, Insightful)
If there's a security fix for iOS, I can download and install it right away. .... Fix your damn security model!
Some people would say that security doesn't depend on fast updates: security depends on not having security vulnerabilities in your software to begin with.
Re: (Score:3, Insightful)
You're right. Some people would say that security depends on being perfect. Those people however are living in a dream world where trying to prevent mistakes and fixing mistakes are somehow physically mutually exclusive.
Re: (Score:2)
You're right.
I have to say we are in total agreement.
Some people would say that security depends on being perfect.
Whether perfection is possible or not: that is a philosophical question.
More practically, we can easily do better in security than we are doing now by an order of magnitude.
Re: (Score:2)
Re: (Score:2)
OpenBSD shows we can do better on security by an order of magnitude (and if you listen to the techniques they use, it's not super-hard).
There's no excuse for the garbage, vulnerable software we are subjected to.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Seriously though, I'm not the one that said "security depends on not having security vulnerabilities in your software to begin with."
Re: (Score:2)
Seriously though, I'm not the one that said "security depends on not having security vulnerabilities in your software to begin with."
Yeah, it's true. A fully patched Android system is still vulnerable. Any attacker who wants to put in the effort can find a vulnerability.
Re: (Score:3)
Well, given that we're discussing a case where Android has a vulnerability, then the speed of the update is pretty relevant.
Re: (Score:2)
Yeah, because in the history of software development, there are exactly zero products that have shipped, and are 100% free of bugs and flaws. So don't worry about how fast you can patch it.
Re: (Score:2)
Re: (Score:1)
Some people would say that security doesn't depend on fast updates: security depends on not having security vulnerabilities in your software to begin with.
Security doesn't depend on not having security vulnerabilities in your software to begin with; security depends on preventing people from discovering and exploiting your existing security vulnerabilities.
Re: (Score:2)
security depends on preventing people from discovering and exploiting your existing security vulnerabilities.
That's a bandaid that definitely works sometimes.
Re: (Score:3)
Out of interest can you point to any in the wild infections for Android?
Re: (Score:2)
Re: (Score:2)
These types of worms also rely on social engineering to convince the user to click on the link and run the malware.
So, not a worm, but a trojan, which [securityintelligence.com] iOS [pcworld.com] also [paloaltonetworks.com] has [checkpoint.com].
Re: (Score:2, Insightful)
Nobody can deny the the Android update situation is a complete mess. But Apple aren't exactly security darlings here. Sure, you get the updates immediately... when Apple gets around to it. You still have to live with years-old known vulnerabilities, and major issues being held back for more product-cycle friendly release timescales.
if OEM disabled security. Tautology (Score:4, Funny)
> what if the manufacturers have disabled SELinux
Yes, if an OEM disabled the security model, that would be a security problem. Tautology much? That hasn't happened on any relevant device.
Oh I know, if the manufacturer installed a botnet malware and gave access to spammers, that would be a problem too! Oh my, a manufacturer could mess up the device the manufacturer!
Re: (Score:2)
That hasn't happened on any relevant device.
I really doubt it ever would because of the whole SEAndroid architecture built on top of it. An OEM would seriously have to go out of their way to not have it working.
The problem with a root kit is that it's a root ki (Score:3)
Lenovo's root kit wasn't bad because of some obscure bug in Windows. Lenovo's root kit was bad because it was a root kit.
Once you assume that the manufacturer is going to purposely ruin the security the security of the device, unrelated bugs don't have much effect on that.
In other words, if the manufacturer puts a tautology on your device, your device will have a tautology on it.
Re: (Score:2)
Re:Ridiculous (Score:5, Informative)
what if the manufacturers have disabled SELinux or set it to be permissive?
Then those manufacturers' devices cannot pass the Android Compliance Test Suite, and they have no right to call their devices Android and cannot use Google's apps. SELinux, in enforcing mode and with the Google-defined configuration (mostly; OEMs can make tweaks in some areas, but not the ones relevant to this vulnerability) has been a formal Android compliance requirement since Lollipop.
It's a matter of time before a worm like Blaster hits Android and does some serious damage.
I doubt it. Android is vastly more secure than Windows was (or even is... and Windows is much better than it was when Blaster hit). The lack of updates delivered by OEMs has caused the Android security team to focus on defense in depth, and the system is working pretty well (see last year's report [googleusercontent.com] -- or wait a bit for the new report which should be out in a few weeks). In particular, less than 0.1% of Android devices that use the Play store have any potentially harmful apps (PHA) installed, and that PHA definition is much broader than just traditional malware. Of the PHA apps, only about 5% try to exploit vulnerabilities; the rest focus on social-engineering the users.
So, 0.005% of Android devices have some exploit-using malware on them. And AFAIK there are no Android worms. So, I really, really doubt Android is ripe for a Blaster.
Fix your damn security model!
The Android security model is actually very good... with one glaring exception, which is the update problem. But Google has committed to a monthly patch cycle for Nexus devices, and several other OEMs have hopped on that patch train. Thanks to that, carriers are being forced to get updated software through QA faster, and the focus on monthly updates is pushing OEMs to simplify their offerings to make updating them more practical (you probably won't see a visible reduction in number of offerings; but in the future I expect each model will have a handful of SKUs, at most, rather than hundreds as is often the case today).
The update problem isn't going to get fixed overnight, but I think it is getting fixed, at least from top manufacturers. The next step is for consumers to insist on well-defined and sufficiently-lengthy support and update policies as a condition of purchase, to force all of the rest to get with the program.
In the short term, if you want the most secure and up-to-date Android device, buy Nexus, but I expect soon others will be challenging Google for that spot.
(Full disclosure: I'm a Google engineer, on the Android security team.)
Re: Ridiculous (Score:3)
Google could require that manufactures subscribe to some sort of security update model as a requirement before using android software. By not doing this, Google is opening itself up to tremendous liability should something bad ever happen. You may not think so, but some jury someday may think differently. I know of what I speak, though I would prefer not to give full disclosure.
Re: (Score:2)
However, I have a big problem with some of the other software that resides on my phone, including apps and software that I don't want and especially a program called DT Ignite.
There's an app for that [google.com]. Also, the carriers claim the bloatware downloads are zero-rated, although that's been a bit hard to verify.
Re: (Score:2)
although that's been a bit hard to verify
and probably in violation of net-neutrality regulations.
Re: (Score:2)
Also, I do prefer the iOS permissions model, in which users are specifically asked to enable permissions for particular apps as needed.
Android moved to that model in Android Marshmallow.
Re: (Score:1)
No they won't, because too many of them insist having everything their way once you guys sign off on their use of Android. This leads to everything from locked bootloaders, out of date kernels, no OS patches at all, etc. This isn't getting better, it has been steadily getting worse, with the number of devices updated by OEMs and carriers to Lollipop and Marshmallow being lower than any previous versions of Android. Many places are still selling flagship models with Lollipop that don't even have Marshmallow
Re: (Score:2)
with the number of devices updated by OEMs and carriers to Lollipop and Marshmallow being lower than any previous versions of Android
specifically because, starting with Lollipop, carrier apps are installed on first boot (based on the inserted SIM, so no carrier apps if no SIM is installed) and can be removed by the user once installed. They're no longer part of the firmware, thus no longer require carrier customization. which removes the carrier's ability to require their approval before updates are pushed by the OEMs. While this makes it easier for OEMs to push updates, they can only do so where standalone versions of the carrier apps a
Re: (Score:2)
Except when Google discontinues your device support. :(
Please encourage your superiors to release official Marshmallow images and updates for the Google Nexus 4.
Re: (Score:2)
Except when Google discontinues your device support. :(
Please encourage your superiors to release official Marshmallow images and updates for the Google Nexus 4.
Two years of updates and three years of security patches is better than anyone else is offering. Apple sometimes does a bit better than that, but they don't make any promises.
Re: (Score:2)
Meanwhile, Apple and Microsoft have done no such thing. I'm not sure of Microsoft's track record regarding device support, but I
Re: Ridiculous (Score:2)
How are consumers going to demand that when all the OEMs are varying levels of useless. Google has the power to pressure them to be better but doesn't seem to want to use it.
Re: (Score:2)
How are consumers going to demand that when all the OEMs are varying levels of useless. Google has the power to pressure them to be better but doesn't seem to want to use it.
Google has a lot less power than you think. We have to tread carefully to keep the ecosystem unified and moving forward together. If Google is too heavy-handed, some of the bigger OEMs are totally capable of taking AOSP and going their own way.
Re: Ridiculous (Score:2)
Samsung, HTC and various carriers have already done that to a degree and that's part of why updates aren't provided in a timely manner. The Android ecosystem is a mess leaving consumers vulnerable and Google is the only org that can pull it together again. I don't envy you having to do that but the current status quo is not good enough.
Re: (Score:2)
Thanks to that, carriers are being forced to get updated software through QA faster
Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?
Re: (Score:1)
Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?
You would think so. Unfortunately, the way it is unless you have a Nexus phone is that first the manufacturer has to vet the patch, then the carrier has to vet it. In part because both pile useless software onto the handset that might rely on whatever is being patched. Even more unfortunately, neither of them have any vested interest in actually applying the patch because they would rather sell a new handset and get you into another contract instead.
While I am not an Apple fan, I think their model of removi
Re: (Score:2)
Unfortunately, the way it is unless you have a Nexus phone is that first the manufacturer has to vet the patch, then the carrier has to vet it.
Same on Nexus, actually, though Google has managed to streamline the process a bit. The manufacturer vetting step is mostly cut out. Mostly.
While I am not an Apple fan, I think their model of removing other actors from the security equation is beneficial.
It's worth noting that Apple also has to go through the carrier vetting step.
The biggest difference between Apple/Nexus and other OEMs, IMO, is variety. Samsung, for example, has thousands of different system images to update, and each one has to be validated by the carriers. Nexus and Apple keep it down to a handful. The OEMs have done this to themselves, obviously,
Re: (Score:2)
Thanks to that, carriers are being forced to get updated software through QA faster
Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?
Hell if I know. It makes no sense to me, either.
Re: (Score:2)
No, because some carriers get anal and demand things work in certain ways.
It's a lot better now, but in the past, things like the color of the send button must be a certain shade of green, for example.
Re: (Score:2)
It's a lot better now, but in the past, things like the color of the send button must be a certain shade of green, for example.
That's not relevant. A lot of those features especially the candy is controlled by individual apps. There's no reason a whole kernel upgrade should have any visible impact on the user or any of the applications at all. My point was why isn't the system modular enough that these customisations aren't a problem. It's not like I have to rebuilt my linux server every time a new package or security fix is released.
Re: (Score:2)
It's not entirely the carrier's fault, because sometimes Google makes some pretty big changes in the core OS. So, for example, imagine if the carrier had to change the screenshot utility to work with their hardware (surprisingly common). Then in a later version of Android, google changed the internal screenshot system. In order to update to the lates
Re: (Score:2)
I'm talking about minor updates and fixes here not API changing modifications. One should be able to apply a kernel patch without wondering if the entire system is going to melt into a puddle as a result.
Re: (Score:2)
One should be able to apply a kernel patch without wondering if the entire system is going to melt into a puddle as a result.
That's true, especially since the kernel team is really good about maintaining backwards compatibility.
Re: (Score:2)
The next step is for consumers to insist on well-defined and sufficiently-lengthy support and update policies as a condition of purchase
That would be nice if a user had anything to say about the stuff he would buy. You can demand every reasonable thing in the world, but "then don't buy it" is the only answer you will ever get.
Not buying a phone might give you a good feeling for living up to your principles, but it will not result in a phone with reasonable support.
Re: (Score:2)
The Android security model is actually very good....but Google has committed to a monthly patch cycle for Nexus devices,
If you have to release security patches every month, then your security model is definitely NOT good. You have serious problems with your code.
Re: (Score:2)
The Android security model is actually very good....but Google has committed to a monthly patch cycle for Nexus devices,
If you have to release security patches every month, then your security model is definitely NOT good. You have serious problems with your code.
Utter nonsense.
There is no way that any system as large and complex as a modern personal computing operating system is going to be completely bug-free. If you believe otherwise, you're either clueless or living in a fantasy world.
Re: (Score:2)
Utter nonsense.
You're wrong. Even if you were correct in your assumption that large systems can't be secure, then you would still be wrong in saying that such security is good. Bad security is bad security, even if you think it's the best possible. Software with many vulnerabilities is not secure.
If you believe otherwise, you're either clueless or living in a fantasy world.
I like the fact based, well-reasoned argument you have there. It's so convincing.
Re: (Score:2)
Re: (Score:2)
Oh, something for you to consider: http://www.openbsd.org/errata5... [openbsd.org]
OpenBSD is much smaller and simpler than any mainstream OS, and has had a laser focus on security for years. Security is their number one goal, above usability, features or anything else... and yet they need more-than-monthly updates to fix security defects. That should give you an indication of just how hard a problem this is.
Re: (Score:2)
Re: (Score:2)
Yes here is the list of manufacturers that offer timely updates:
* None
Re: (Score:3)
Yes here is the list of manufacturers that offer timely updates: * None
Not true. Nexus devices get monthly updates. So do some Samsung devices. I know there are some other manufacturers. It seems like the list the AC is asking for is something Google could potentially provide.
Re: (Score:2)
* Google (Nexus devices)
Re: (Score:2)
Tell that to Google Nexus 4 owners.
Re: Ridiculous (Score:2)
Re: (Score:2)
This page only lists that the Nexus 4 has 5.1.1 not 6.0, so no it doesn't have the latest updates.
Re: (Score:2)
Re: (Score:2)
That is one of the problems with Android your phone can only be used for 2 years until it is completely outdated and can't be updated any more. Now that wouldn't be a problem if Google wasn't constantly changing Android and coming up with newer and newer versions making it impossible to install new/updated apps from app store. The problem is that Google doesn't care about backward compatability and is constantly deprecating and messing up things for no reason. I understand if the newer phone has some new ha
Re: (Score:2)
Re: (Score:2)
You talk about Apple but Apple is not an excuse because they are bad themselves, yes Apple also sucks.
Do you really think a normal user will be able to unlock or install Marshmallow on his phone with these unnecessary complex instructions? I have rooted and installed a few Android mods myself and I can tell you that it is very easy to make a small mistake or that the third party instructions are not clear enough so you end up with a bricked phone. I am not talking about myself, you or other technical people
Re: (Score:2)
You talk about Apple but Apple is not an excuse because they are bad themselves, yes Apple also sucks.
I talk about Apple not to excuse Google, but because everyone always brings up Apple as an example of "doing it right". If that is incorrect (as I've shown) then, perhaps, people should stop doing it. If you weren't slyly hinting at Apple, and I know you weren't pointing to Microsoft of Blackberry, just who is the shining beacon of "doing it right"? And if nobody, who is doing it best? I'd venture that Google isn't doing too horribly if your requirement is the ability to buy a device from any number of supp
Re: (Score:2)
So, you're saying you wouldn't help your sister, mom, or grandma with this? I know I would, as wold most technical people who wish to encourage their friends and family to be more secure.
I will help them as much as I can but I refuse to be a technical support for Google just because they are incompetient and don't care.
You mean it's something Google cold easily do if they would just stop write-locking /system/ during the boot process to prevent malware from completely pwning Android devices. You must not realize that this is a security measure, and a very strong one at that; it's literally as simple as it could possibly be without opening the door to all kinds of nasty malware we currently don't have to deal with. The only thing that might make it easier is a GUI, but that would also make it easier for people to install malicious ROMs without really thinking about it; having to type it out makes you think about what you're about to do before you press enter.
No Google controls the system. They already have a lot of system apps that can whatever they want. This is just a simple implentation of crypto signing the app. If the app is signed by a specific key by Google then they can give the app access to stuff like this. You talk about like this is something impossible to do? If you control the system like Google does you can have it
Re: Ridiculous (Score:2)
Re: (Score:2)
HELL - LOOK @ ALL THE VULNERABILITIES & PROBLEMS ANDROID HAS HAD SINCE IT'S VERY PUBLIC RELEASE & INCEPTION!
Yep. And look at the utter lack of Blaster-style mass infection.
Re: (Score:2)
There's an interesting ongoing case in the Netherlands in that regard: A Dutch consumer organisation is suing Samsung for neither providing updates nor making it clear for how long a new phone will be kept updated. (I'm personally imagining best-before dates on the packaging, like on food).
Cool. We do need companies to tell you before you buy what you're going to get, and then back it up. Glad to see that's happening.
However, Samsung actually has committed to a regular update cycle on their new flagship devices, after Google did it for Nexus. So they're getting it. I don't know if it's a result of this suit or what, but whatever it takes to make this happen, I'm for it.
Re: Ridiculous (Score:2)
You are a pathetic fanboi with no grasp on reality at all.
It's not the fault of the users that Google has failed to set up an ecosystem where they're protected from security flaws.
It's not the fault of the users that carriers and OEMs don't give a shit about their customers.
It's not the fault of the users that they can't buy Nexus devices in their country.
If Microsoft tried this bullshit they'd be torn a new one on here but because it's Linux under the hood it must be defended to the death.
Re: (Score:2)
Re: Ridiculous (Score:2)
Are you taking the piss? It's the fault of the user that they don't load some random firmware that doesn't support all the functions of their phone via Odin which isn't exactly user friendly. In a world like that how soon would it be before malware infested firmwares were everywhere. You fanboys are mental.
Just buy a Nexus is not the answer, the answer is for the OEMs, the carriers and Google to give a shit about their customers.
I'm not attacking the OS. I had a Nexus 6 (which wasn't cheap) and it was great
Re: (Score:2)
Yes, the carriers and OEMs share in the blame, and Google gets their fair share as well for not requiring that the OEMs conform to some
Re: (Score:2)
Re: (Score:2)
If there's a security fix for iOS you don't even hear about it until Apple is ready to ship on all devices they are still supporting.
no, but if there is a security vulnerability you do hear about it..
Re: (Score:2)
There is a reason why it shouldn't be the case for Android. The reason is that Google doesn't make the phones. This patch will have to be tested on each manufacturer's devices before it is made available. Google isn't going to do that, the manufacturers are. Well, you'd hope the manufacturers are.
This is the fundamental difference between the Android and iOS ecosystems, Android is fragmented, iOS is monolithic.
Re: (Score:2)
Re: (Score:2)
those are typically lagging behind in hardware
I wouldn't say the Nexus 6 is lagging behind in hardware, even comparing to the generation of devices released after it. Actually, for the first time I've owned a phone for over a year and still see nothing compelling on the market. Just saying.
Sure, a fingerprint reader would be nice, but that's something I'd use for a grand total of a couple seconds per day, versus the display I'd be giving up, which gets used much, much more. The Nexus 6P is comparable, but trading wireless charging for a fingerprint r
Re: (Score:1)
Google updates Android, folds in fixes submitted through AOSP and pushes them out to Google devices. That is where their responsibility ends. Google cannot make any hardware manufacturer push those updates out.
The hardware maker is the one who is supposed to take Google's updates, negotiate terms with the carriers and push them out to their devices. The end user is also free to manually install updates themselves and many do, which is why so many unofficial firmwares are available through places like xda de
Re: (Score:3)
That's a fantastic excuse for a horrible model.
If Google actually wanted to get serious about this, they would contractually obligate their OEMs to send security-related updates in a timely fashion. Yet they don't, and *their* platform continues to have this god damn mess.
Throwing up your hands and saying "that is the OEM's problem" is a fantastic way to be selling devices that are actively exploitable, and ruin the reputation of your brand. Even Microsoft recognizes that.
Re: (Score:2)
That's a fantastic excuse for a horrible model.
And if you were at all familiar with the restrictions mobile operators place on device manufacturers, you'd understand that's it's a factual one, as well. Even Microsoft recognizes that [windows.com].
We work closely with our carrier partners, and encourage them to test our software as swiftly as possible. But it’s still their network, and the reality is that some carriers require more time than others. By the way, this carrier testing is a common industry practice that all of our competitors must also undergo. No exceptions.
That said, this only applies to devices which the carrier has customized in some way [howtogeek.com]. As far as Nexus devices go, that only includes the T-Mobile Nexus 6 and, even then, the customization was done by Google and T-Mobile allows them to push updates directly and without approval. Every other Android device sold, by literally a
The bug (Score:2)
That doesn't mean ..... (Score:3, Insightful)
That doesn't mean the patch will hit users' phones ever, though.
There, I fixed it for you.
Weeks? (Score:5, Insightful)
How about months or never. The upgrade situation on Android is a joke unless you buy from Google.
Re: (Score:1)
Re: (Score:3)
How about months or never. The upgrade situation on Android is a joke unless you buy from Google.
Yes but so are most attack vectors. When a problem gets discovered in Windows, IE, Flash, Acrobat etc it's sometimes a matter of hours / days before exploits are in the wild, sometimes the exploits are out before the the problem is discovered.
In the Android world I've yet to actually hear of a wide spread exploit self propagating between devices and turning them all into mass zombies. Typically we only hear about devices that were compromised via some dodgy app with questionable permissions, which is a far
Re: Weeks? (Score:2)
The problem with Android is that even when the flaw is fixed by Google it doesn't make it onto the majority of the phones out there. That's not good enough. Microsoft would never escape criticism for ignoring flaws but for some reason Android OEMs seem to get a free pass.
Re: (Score:2)
Re: (Score:2)
The free pass is given due to the attack vector. I would give Microsoft a free pass too when their bugs have very little impact or are incredibly unlikely to be exploited.
Just like I gave Linux a free pass when the malware was discovered last week and we all couldn't help but joke at the fact that parts of it didn't work, and when they did work it didn't do so very widely.
Re: (Score:2)
How about months or never. The upgrade situation on Android is a joke unless you buy from Google.
Not only is Motorola pretty good about updates, but I can get an AOSP build for pretty much any of their phones. I don't know if there are any other manufacturers as reputable, but I've been happy enough with Moto that my next phone will probably also come from them.