Google has responded to the discovery of a security bug by pushing out the first patch for its Android mobile phone platform. Users of the G1, developed by HTC, was patched over the weekend in response to the discovery of a flaw in its browser software on 24 October. The bug was discovered by Charlie Miller, Mark Daniel and Jake …
New Google Tactic??
"Users of the G1, developed by HTC, was patched over the weekend in response to the discovery of a flaw in its browser software on 24 October."
So, its the users of the G1 that have been patched rather than the software itself??
Deja Vu - again
"...The bug was discovered by Charlie Miller, Mark Daniel and Jake Honoroff of Independent Security Evaluators ..."
This seems to happen with amazing regularity. Big software company releases product - some specialist software security organisation has a look at it and finds a security flaw. Wouldn't it be better, easier and cheaper in the long run to call them in before the product is released? They could go over it, give it a good kicking, or whatever it is they do, ................... or am I being naive in some way? Please tell me.
But when do we get it?
I'd been following this story for a while and was hoping that when I took my G1 out of the box on Friday it would at least have a relatively recent firmware. The patched US version is RC29. My out of the box G1 in the UK has RC7 and no sign of an update being available yet...
This seems to be one are where an open source mobile OS is a bad idea - the patch has been published and makes the hole fairly obvious for anyone who wants to write an exploit. So now the black hats could quite happily write code knowing that there will be exploitable handsets out there for quite some time due to T-mobile's staggered push updates...
Easiest upgrade ever...
you could just send the patch to the 3 people who actually bought the phone....
And to think they laughed at Apple
At least Apples patches go out to the entire world in one go, they might not always work first time but at least you'll get it.
Sounds like Android is the new Linux, i.e. you spend half your time having to systems manage the damn thing to make it work.
Paris because she likes to be exploited....
No new platform is ever free of flaws (nor mature ones for that matter).
It is good to see that Google is working with the researchers to release patches in a timely manner (how quickly the cellco pushes them out to end users is an entirely different issue).
This is a contrast from how Apple seems to deal with flaws:
- refuse to work with the security researcher reporting the issue
- refuse to confirm the existence of any flaws (when the media inevitably learns of it)
- refuse to notify users of any work arounds / precautions they can take to protect themselves
- eventually include a patch for part of the flaw in a larger firmware update with some innocuous sounding description to hide the real seriousness of the flaw
- continue refusing to confirm the existence of any remaining flaws
- quietly patch the rest of the flaw at some later stage
US and UK version history the same?
Is RC7 and RC29 etc a generic Android thing? Or is it just versioning for the G1? And if it's just for the G1, are the US and UK versions comparible? For example, is RC7 UK the same as RC7 US? Or are they different due to differing services being made available either side of the pond (eg. no Live Messenger or AIM in the UK version). I have a feeling the latter will be true and therefore we'll probably find that the UK version is equivalent in core companants and security to RC28 in the US, or whatever was before the latest patch. So people saying the UK is way behind on RC7 could be a little out... although I do think we're 1 patch behind due to the recent launch.
- Review Samsung Galaxy Note 8: Proof the pen is mightier?
- Nuke plants to rely on PDP-11 code UNTIL 2050!
- Spin doctors brazenly fiddle with tiny bits in front of the neighbours
- Game Theory Out with a bang: The Last of Us lets PS3 exit with head held high
- That Microsoft-Nokia merger you've been predicting? It's no go