Posted Monday 3rd November 2008 11:49 GMT
"Users of the G1, developed by HTC, was patched over the weekend in response to the discovery of a flaw in its browser software on 24 October."
So, its the users of the G1 that have been patched rather than the software itself??
Posted Monday 3rd November 2008 13:01 GMT
"...The bug was discovered by Charlie Miller, Mark Daniel and Jake Honoroff of Independent Security Evaluators ..."
This seems to happen with amazing regularity. Big software company releases product - some specialist software security organisation has a look at it and finds a security flaw. Wouldn't it be better, easier and cheaper in the long run to call them in before the product is released? They could go over it, give it a good kicking, or whatever it is they do, ................... or am I being naive in some way? Please tell me.
Posted Monday 3rd November 2008 13:01 GMT
I'd been following this story for a while and was hoping that when I took my G1 out of the box on Friday it would at least have a relatively recent firmware. The patched US version is RC29. My out of the box G1 in the UK has RC7 and no sign of an update being available yet...
This seems to be one are where an open source mobile OS is a bad idea - the patch has been published and makes the hole fairly obvious for anyone who wants to write an exploit. So now the black hats could quite happily write code knowing that there will be exploitable handsets out there for quite some time due to T-mobile's staggered push updates...
Posted Monday 3rd November 2008 13:01 GMT
you could just send the patch to the 3 people who actually bought the phone....
Posted Monday 3rd November 2008 17:20 GMT
At least Apples patches go out to the entire world in one go, they might not always work first time but at least you'll get it.
Sounds like Android is the new Linux, i.e. you spend half your time having to systems manage the damn thing to make it work.
Paris because she likes to be exploited....
Posted Tuesday 4th November 2008 09:15 GMT
No new platform is ever free of flaws (nor mature ones for that matter).
It is good to see that Google is working with the researchers to release patches in a timely manner (how quickly the cellco pushes them out to end users is an entirely different issue).
This is a contrast from how Apple seems to deal with flaws:
- refuse to work with the security researcher reporting the issue
- refuse to confirm the existence of any flaws (when the media inevitably learns of it)
- refuse to notify users of any work arounds / precautions they can take to protect themselves
- eventually include a patch for part of the flaw in a larger firmware update with some innocuous sounding description to hide the real seriousness of the flaw
- continue refusing to confirm the existence of any remaining flaws
- quietly patch the rest of the flaw at some later stage
Posted Wednesday 5th November 2008 08:56 GMT
Is RC7 and RC29 etc a generic Android thing? Or is it just versioning for the G1? And if it's just for the G1, are the US and UK versions comparible? For example, is RC7 UK the same as RC7 US? Or are they different due to differing services being made available either side of the pond (eg. no Live Messenger or AIM in the UK version). I have a feeling the latter will be true and therefore we'll probably find that the UK version is equivalent in core companants and security to RC28 in the US, or whatever was before the latest patch. So people saying the UK is way behind on RC7 could be a little out... although I do think we're 1 patch behind due to the recent launch.
Sign up, sign up for The Register's weekly mobile & wireless newsletter - click here
Back to the article
