Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[sevenlayermuddle]

Really quite scary it seems, attacker just sends you a text  - you don't even have to read it.


And only a billion users affected.   

Been on lots of news sites, Beeb, Guardian, etc.   Reg' is arguably most respected these days...

http://www.theregister.co.uk/2015/07/27/android_phone_text_flaw

[kitz]

I find some of the comments and discussions from various sources confusing

Zimpherium's researchers notified Google, which subsequently produced a patch to fix the problem.

However, millions of devices currently remain unpatched because hardware manufacturers and mobile operators have to distribute updates to customers themselves, and customers can reject updates manually.

In a statement, Google said: "This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no-one has been affected.

"As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week.

It all sounds pretty serious and Im still not sure or not if that means we will get a patch or when.   

[Ronski]

Anyone using an older Android phone almost certainly won't get a patch. Most networks modify Android to add there own features, so you then have to rely on the Networks to roll out the updates and it very rarely happens, except on fairly new phones.

If your running a phone with pure Android such as the Nexus then you will get an update.

Samsung seem to be good at pushing out updates for recent phones, but again if the network has modified the phone then you won't get the update until the network releases an update, if ever.

My phones are rooted so I'll update to the latest version of CyanogenMod and perhaps disable MMS as we never use it.

[tbailey2]

Be careful what web sites you visit now as well. El Reg again:

Malvertising campaign hits 10 MEELLION users in 10 days

Cyphort researcher Nick Bilogorskiy says 10 million users may have been infected in as many days, thanks to a deadly malvertising and exploit kit campaign.

The cybercrime investigator says the popular Angler exploit kit is driving the campaign targeting users across Asia, the US, and parts of Europe.
...

Attackers made huge wins landing malicious ads on popular sites including The Drudge Report, celebrity trash mag PerezHilton, CBS Sports, Yahoo, Verizon FiOS, and eBay UK.

Full report HERE

[sevenlayermuddle]

Looks like some good may come of this, as some of the handset makers are apparently realising at last that Android phones may sometimes need security updates...

http://www.bbc.co.uk/news/technology-33794083

I'm still not convinced.   I was looking at new TVs last week, and noticed that the latest Sony sets run 'Android TV', in other words - if I understand right - they are basically big Android tablets with a TV tuner.   Now I tend to keep a TV for at least 8-10 years, but what chance realistically is there that Google will still be turning out updates for a 10 year old OS and even if they do, what chance Sony will find time to tailor it to their 10 year old sets, do all the testing, and roll it out? 

[roseway]

I'm still not convinced.   I was looking at new TVs last week, and noticed that the latest Sony sets run 'Android TV', in other words - if I understand right - they are basically big Android tablets with a TV tuner.   Now I tend to keep a TV for at least 8-10 years, but what chance realistically is there that Google will still be turning out updates for a 10 year old OS and even if they do, what chance Sony will find time to tailor it to their 10 year old sets, do all the testing, and roll it out?

That's not just an Android or a Sony issue. I'm sure most, if not all, modern TV sets are controlled by a computer system of some kind, probably Linux.

[sevenlayermuddle]

I'm still not convinced.   I was looking at new TVs last week, and noticed that the latest Sony sets run 'Android TV', in other words - if I understand right - they are basically big Android tablets with a TV tuner.   Now I tend to keep a TV for at least 8-10 years, but what chance realistically is there that Google will still be turning out updates for a 10 year old OS and even if they do, what chance Sony will find time to tailor it to their 10 year old sets, do all the testing, and roll it out?

That's not just an Android or a Sony issue. I'm sure most, if not all, modern TV sets are controlled by a computer system of some kind, probably Linux

Please do correct me if there's something I am missing but, on my current understanding, I would argue that It's a bigger issue for the android based platforms for two reasons...

1) Even if a set-maker decides that a critical fix is needed they can't fix it, they have to wait for Google to produce an android update.   And for older versions of android, Google may not bother.  That's not such an issue for phones which are generally short-lived but I think most folks, like me, expect a TV to remain usable a lot longer than a phone.

2) And even if Google were to decide that Android TV had a desperately important flaw, and distribute affected android updates to set makers, the set makers would have big overheads testing compatibility with ancient hardware, and so may not bother to distribute it.

In contrast, for Smart TVs that use an in house customised 'raw' Linux as opposed to android, the set maker ought to be able to decide on the merits of a flaw and push out a fix quite quickly,  with no reliance on anybody other than the Linux kernel and open-source updates.  Just as happens (or at least can happen) with Linux-based router vulnerabilities and the likes.

There is also the consideration that, for malicious software,  the bad guys are much more likely to focus attention on a huge and fairly static platform like a widely used (but perhaps old) version of android, rather than looking for attacks on individual TV sets from a huge pool of different kernel versions.

As I say, just my understanding, may have some learning to do.   I'd never heard of 'Android TV' till last week, when I started to vaguely look for a new TV.

[ejs]

I think going forward, Google probably want to update more components directly themselves via the Google Play store. For Android 5.0 and above, "Android System WebView", used by apps to display web pages, gets updated via Google Play.

As for Google not bothering to update old versions of Android, they probably expect manufacturers to upgrade to a later version instead. Some manufacturers tend to do that more than others anyway. Sony give their expensive flagship models updates and newer versions of Android for much longer than less their expensive models. Instead, if you want a newer version of Android, they make you buy a newer phone (and I'd decide to buy a new phone from another manufacturer).

But you never know, this kind of bug being discovered and publicised may prompt some manufacturers to release a patch even for their older phones. In 2014, Netgear released firmware updates for their DG834G routers to fix the "TCP port 32764" issue, even though it was about 5 years since the previous firmware release and those models had already been declared "end of support" a while ago.

[sevenlayermuddle]

As for Google not bothering to update old versions of Android, they probably expect manufacturers to upgrade to a later version instead.

I think you're right.  But when applied to TVs as opposed to mobile phones, they (TVs) typically have a much longer expectation of service life.   That then raises the question of whether a new version of Android could be assured of running on hardware that was, say, eight or ten years old?

I may be wrong, but I suspect Google would be reluctant to offer such an assurance.

[Chrysalis]

this is blame for both google and vendors.

google will only patch 5.1, they consider anything other than the very latest point release not worth patching.

the vendors will only update devices still generating sales, and thats not even a fair way to say it as I have seen many phones sold in 2015 with android as old as 4.0 on them.

The solution would seem to be like what apple do, but the vendors will fight it as they want to use software to sell hardware.

Android as an OS is very inherintly insecure, I am surprised its had so little publicized exploits.

No selinux prior to 4.4, and even then was only partial.
Massive fragmentation across userbase.
Software updates usually stopping within 18 months.
Too much freedom given to app developers in what their apps can do.
Not enough control given to handset users in what they can configure to lockdown security.

When the phone is rooted and especially if it has xposed framework installed, then often the big vulns get patches added as xposed modules meaning old versions of android can be patched.

In my mind if you going to use android then root it, else get an iphone.