Google Confirms Android 10 Will Fix 193 Security Vulnerabilities

"Were it not for third-party components, the August Android Security Bulletin would have been the first report to be released with only a single critical vulnerability found," reports TechRepublic. "However, with the inclusion of Broadcom and Qualcomm components, there are seven in total."

Meanwhile, Forbes reports on what's being fixed in September's release of Android 10: 193 Android security vulnerabilities needed to be fixed, covering a broad swathe of elevation of privilege, remote code execution, information disclosure and denial of service categories. Two of these are in the Android runtime itself, another two in the library and 24 in the framework. The bulk, however, is split between the Android media framework with 68 vulnerabilities and the Android system with 97. All have been scored as "moderate" severity.

The good news is that all will be fixed by the default Android 10 patch level of 2019-09-01 on release of the new OS. Also on the positive news front, the security bulletin update stated that "we have had no reports of active customer exploitation or abuse of these newly reported issues."

All 5 people........

[geek]

That get the upgrade int he first 6 months can rest assured their device is secure then. I really don't care what Google does with Android until they fix the upgrade issues. No upgrades on devices, no sale. They have all the leverage they need with device makers to get this to happen but don't.

Re:

[kurkosdr]

Oh puh-lease, Google isn't bothered to upgrade (and more crucially update) their own Pixel phones for more than 3 years. Before you lightheartedly blame the OEMs for not upgrading their devices, consider for once that Google may not maintain the level of ABI stability needed for existing drivers to work with newer releases. You see, people like to belittle Microsoft for not changing the Windows NT kernel often, but this is the reason your old laptop from the Windows Vista era can be upgraded to the latest W

Re:

[arglebargle_xiv]

I used to complain about the lack of upgrades, along with everyone else, but ever since I got a Chinese phone (Umidigi, big in China and India, mostly unknown in the US) I've had continuous updates, the last a week ago. It's kinda the reverse of what you'd expect, full-featured phone, stock off-the-shelf Android without any vendor-provided crapware, unlocked, etc. It's lucky vendors like this can barely manage to meet demand in Asia or they'd own the market.

Oh, and before the usual crowd jumps in with "hu

Re:

[Voyager529]

I really don't care what Google does with Android until they fix the upgrade issues.

Literally, all they need to do is some level of standardization at the bootloader level, standardize an API for the baseband modems, make a HAL worth a damn, then copy Windows ability to let users install OS upgrades. There's *plenty* to very-justifiably dislike about the OS, but the fact that I can use a Windows 10 install disc on virtually any computer manufactured in the past decade and have it boot is something for which there is no reason Android can't have happen, too.

Everyone loves to cry "but users

Re:

[iampiti]

Apparently x86 PCs enjoy a standardized boot process, basic hardware, and hardware discovery mechanisms that just aren't there in the world of ARM SoCs. That's the reason (or one of them) that you can't have generic OSs that boot on all Android phones like Windows does on PCs.
OTOH Google has taken steps to make updating Android easier: They have something called "project Treble" which aims to decouple vendor modifications from Android's base code so that updating is easier. On hardware that supports projec

Re:

[thegarbz]

Literally, all they need to do is some level of standardization at the bootloader level, standardize an API for the baseband modems, make a HAL worth a damn, then copy Windows ability to let users install OS upgrades

You mean what Android Mainline is proposing to do with the release of Version 10?

Re:

[thegarbz]

That get the upgrade int he first 6 months can rest assured their device is secure then.

Sorry but it hasn't worked like that in years. Android security patch levels are now independent of the OS version itself. Most people with a phone less than two years old will have the updates within a month or two. Many people beyond this find themselves with a phone that still gets security patches pushed by vendors. I'm currently using a 3 and a half year old phone, 4 generations behind the current, with an OS that will shortly be two major versions behind, and yet I have all security patches up to date

Re:

[samwichse]

Buy any Android phone marked "Android One" and get what you like. Guaranteed updates for 2 years, monthly security patches for 3 years.

https://www.android.com/one/ [android.com]

Aren't C and C++ grand?

[kurkosdr]

"The bulk, however, is split between the Android media framework with 68 vulnerabilities and the Android system with 97." Amazing how vulnerabilities tend to cluster around code written in languages with loose pointers and unsafe arrays (that is, C and C++ for Android)

Re:

[Cmdln Daco]

Java is written in languages with loose pointers and unsafe arrays.

Python comes from a source tarball that is built with a C compiler.

You're probably right that typical programmers aren't qualified to delve beneath a Fisher-Price protective cover. But there is going to be stuff beneath there that's scary that you don't understand.

Re:Aren't C and C++ grand?

[110010001000]

Safe pointers and arrays have been available for C++ for over a decade. What does this have to do with anything?

Re:

[Viol8]

Good luck writing device drivers or low level graphics libraries in java, python, ruby or some other managed language that hides the complex nasties from you that HAVE to be dealt manually with when you code to the metal.

lol

[Type44Q]

...and introduce 900 more.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Is that 193 from the previous version?

[bobstreo]

because I only ever got 1 system update for the phone I've been using for 7 years.

I am at version 5.5.1

Re:

[bill_mcgonigle]

> I am at version 5.5.1

Don't use it for anything where security would matter, then.

Android 9 with August patches is the minimum one should head into treacherous waters with.

Some people say they don't care because their comms aren't secret but then they install their bank's app...

The good news is ..

[QuietLagoon]

Nah, the good news would be if google noted which of those vulns affected earlier versions, and cajoled the various vendors to update their systems appropriately.

Re:

[thegarbz]

They do. Patch Level (what the Forbes is describing) and the OS version number have absolutely nothing to do with each other since 2016, and most vendors release security updates quite frequently. Just because my OS is 2 versions behind on my 3 year old phone doesn't mean that I don't expect within a month all those 193 vulnerabilities (or at least relevant ones) to be fixed on my run of the mill Samsung device too. I didn't get the August update so given I get them typically every 2 months I'm expecting to

Wow, 193 vulnerabilities?

[JustAnotherOldGuy]

Wow, 193 vulnerabilities?

At some point I'd be tempted to scrap the project and write all fresh code so we could start over with a new, more comprehensive set of vulnerabilities.

Re:

[Merk42]

So, Fuchsia?

Google confirms Android 9 has 193 vulnerabilities.

[Fly Swatter]

Alternative take.

Re:

[thegarbz]

Google confirms Android 9 has 193 vulnerabilities.

Only for another week because Android OS versions and patch levels have nothing to do with each other, and when 1/09/2019 is released Android 9 will have just as many confirmed vulnerabilities as any other Android version (back to version 7.0 at least since that's when they introduced the security framework).

Neither Security Nor Privacy at Play Store

[BrendaEM]

There must be an alternative to Apple's walled-in garden and Google's selling of customer's privacy.

Most of us will need to get new phones ...

[rnturn]

... to get this update. T-Mobile hasn't issued any Android updates since 08/2018 and that was just to get to 8.0.0. (Our previous vendor, Verizon, was just as bad.) Are all the cellular vendors' patching/upgrade track records this pathetic?

Re:

[drinkypoo]

That's why I bought an Android One phone. Lenovorola claims that I will get an update on my Moto E4. I just got a security update, and have been getting those very regularly, so I still have high hopes.

I had a SEMC Xperia Play and they never bothered to bring out ICS for it even though they had promised to do so, so I don't take such things for granted. I'll believe it when I see it. But at least I've got a shot.

Re:

[thegarbz]

You don't need the latest OS for security to be up to date. Forbes is conflating two issues based on a release note. Yeah Android 10 will fix 193 security updates, but on September 1st it will also do so in Android 9, 8 and 7.

I'm not sure why you would need T-mobile to issue you a security update though. They need to come from the vendor and don't affect carrier customisations. *Most of us* definitely do not need new phones, as the vast majority of the phones from brand name manufacturers (can't speak for t

Re:

[twocows]

Huh? Why would you expect your service provider to make updates for your phone? Your phone manufacturer does that: Samsung, Motorola, LG, Nokia, etc. All your service provider does is throw some extra bloatware on the image if you bought a phone on contract instead of wholesale. If you're not getting updates quickly enough, blame your phone manufacturer. Nokia's doing a great job with updates, for example.

Google Account

[Errol backfiring]

Will they remove the need for a Google account then? That alone would probably solve at least 500 problems.

Buy a Pixel

[neo-mkrey]

Then you will get the updates and you won't have Samsung bloatware on your device.