Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Google Android Security

Google Says Google and Other Android Manufacturers Haven't Patched Security Flaws (engadget.com) 19

Google has disclosed several security flaws for phones that have Mali GPUs, such as those with Exynos chipsets. From a report: The company's Project Zero team says it flagged the problems to ARM (which produces the GPUs) back in the summer. ARM resolved the issues on its end in July and August. However, smartphone manufacturers including Samsung, Xiaomi, Oppo and Google itself hadn't deployed patches to fix the vulnerabilities as of earlier this week, Project Zero said.

Researchers identified five new issues in June and July and promptly flagged them to ARM. "One of these issues led to kernel memory corruption, one led to physical memory addresses being disclosed to userspace and the remaining three led to a physical page use-after-free condition," Project Zero's Ian Beer wrote in a blog post. "These would enable an attacker to continue to read and write physical pages after they had been returned to the system." Beer noted that it would be possible for a hacker to gain full access to a system as they'd be able to bypass the permissions model on Android and gain "broad access" to a user's data. The attacker could do so by forcing the kernel to reuse the afore-mentioned physical pages as page tables.

This discussion has been archived. No new comments can be posted.

Google Says Google and Other Android Manufacturers Haven't Patched Security Flaws

Comments Filter:
  • by ArmoredDragon ( 3450605 ) on Thursday November 24, 2022 @04:34PM (#63077620)

    Helping the Kremlin

    https://youtube.com/watch?v=4I... [youtube.com]

    Between that, and this:

      https://www.nytimes.com/2018/0... [nytimes.com]

    I've lost all respect for that company, and its employees for that matter.

    • by Wyzard ( 110714 )

      Helping the Kremlin

      https://youtube.com/watch?v=4IaOeVgZ-wc [youtube.com]

      Sounds like that guy has a decent case against RT, but he's pretty off-his-rocker in regard to YouTube. It's a pretty big stretch to claim YouTube is making "intentional efforts to undermine the United States of America in collusion with the Russian government" by not terminating all 39 of RT's YouTube channels because of a few minutes of copyright infringement by one of them. Lots of exaggeration and loaded language, and some strong hints of pa

  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Thursday November 24, 2022 @04:37PM (#63077624) Homepage

    The other problem is that these things only receive updates for a short time. This is the device "lifetime" which is often only 2-3 years. This is not shown on the box when you buy it; it is easy to buy something that was first released a couple of years ago that only has a few months of support coming.

    All of these things should get security patches for at least 10 years from when the last one was sold as new in a shop or web site.

    • by trparky ( 846769 ) on Thursday November 24, 2022 @07:28PM (#63077930) Homepage

      I've been saying this for years now. It's why I refuse to buy an Android and exclusively use an iPhone. Security on Android is a joke.

    • The other problem is that these things only receive updates for a short time. This is the device "lifetime" which is often only 2-3 years. This is not shown on the box when you buy it.

      I think this is a good, relatively-easy first step: vendors need to print end-of-support dates on the outside of the box, visible at point-of-sale, and it'd cost basically nothing, though it'd provide an easy pressure point from carriers...a 2-year subsidy on a phone with an expiration date that ends six months before the term of the contract would likely encourage longer support cycles.

      I also think mandatory, free bootloader unlocks no later than 6 months prior to the expiration date should be implemented.

    • by AmiMoJo ( 196126 )

      The issue here is that the flaw was in the Mali GPU driver supplied by ARM. Once they fixed it, the patch had to be tested by the manufacturer of the ARM SoC and rolled into the Board Support Package (BSP), and then tested by the phone manufacturer with the current version of Android. In some cases those last two are the same people.

      In other words it takes longer for the patch to reach users than it does with other types of software.

      As for security updates, the situation on Android is actually pretty good.

  • by Anonymouse Cowtard ( 6211666 ) on Thursday November 24, 2022 @05:08PM (#63077670) Homepage
    In Soviet Russia security floors YOU!
  • by jacks smirking reven ( 909048 ) on Thursday November 24, 2022 @05:22PM (#63077692)

    I understand Android launched during and somewhat as an answer to the era of carriers controlling the client hardware on their networks. To drive adoption Google had to cede some amount of control to the carriers and phone manufacturers, they needed their bundled, uninstallable apps after all...

    It's 2023 now though and is my phone really all that different than my laptop that I can't have a BIOS and ability to separate my hardware from my OS? I buy any x86 mobo and CPU from $20 to $20000 and install Windows or Linux on it out the gate, updates and all. I feel as though the reasons for this not happen for phones is purely profit and business related and nowhere near technical at all.

    The fact it hasn't happened yet to me means this is now a matter for legislation.

    • make it more like apple with the base OS updates.
      carriers having there own roms with slower / missing updates on top the manufacturers hardware that you can buy with out the carriers stuff. Can be an starting point with the updates just needing to be done by google / manufacturer

    • by AmiMoJo ( 196126 )

      Buy your phone outright, not from the carrier. Buy from brands that don't load their devices up with uninstallable shovelware, like Google, Samsung, and OnePlus.

      Yeah, even Samsung are not too bad now. Their version of Android has minimal changes from stock, they let you re-assign hardware buttons, and most of their own apps can be uninstalled or simply aren't installed at all, instead waiting for you in their app store.

      Avoid the lowest end handsets as those tend to be the most heavily subsidised. If you wan

      • I do use Pixel phones and my phones for the last 6 years or so have all been bought outright. Pixels are better but they all suffer from this issue. Pixel just means Google is upfront about what updates it gets and for how long, they are still nowhere close to operating like the x86 hardware we all know and love. No BIOS, no bootloader (without jumping through hoops) no updates if the phone manufacturer decides to drop support.

        There's gotta be a better way for the other 98% of Android users not on Pixels

        • by AmiMoJo ( 196126 )

          It really is down to the modem and SoC manufacturers. Their drivers are needed for the phone to operate, and in the case of the modem they have to be certified and made difficult to modify (e.g. by being signed).

          Those manufacturers only support recent versions of Android. People do extract those drivers for use in Lineage and other unofficial versions of Android, but they are unsupported and uncertified so no phone manufacturer could ship them without risking being booted off some carrier's networks.

          Apple b

    • Wow are you writing this from the future? What's it like? Should I buy Meta stock?
  • by rapjr ( 732628 ) on Thursday November 24, 2022 @06:14PM (#63077770)
    This is a classic misinformation tactic. The very person or group who should be fixing a problem makes a public proclamation that "this is a very serious problem and someone should fix it". They absolve themselves of blame by pushing blame onto people/funding/government and get out of doing the hard work and paying the cost at the same time. It often works.
  • At least they didn't type Google into Google. That could break the Internet.
    https://www.youtube.com/watch?... [youtube.com]

  • Mali has been a real problem for more than a decade for embedded developers working in the open souce space.
    Undoubtedly there are other nasty bugs that haven't been found yet - at lead publicly.
    The rumor was that ARM had stolen/infringed patents to compete so they couldn't release anything but a blog. That never excused how buggy it was (is?)

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...