Google roasts critical twin Android bugs in new Marshmallow OS Google has patched two critical remote code execution vulnerabilities as part of a suite of seven fixes in its fourth round of Android patching since August. The over-the-air updates set to hit Nexus, Samsung, and Android Open Source Project (AOSP) devices first for Google's latest Marshmallow Android operating system. Google …
Well they have, whether OEM's choose to use the google code to patch their own devices is entirely up to them. They have provided the code and patched their own phones. So they have squashed the bug, whether OEM's choose to squash the bug on their phones is their choice.
It is up to customers to vote with their feet and just walk away if they don't like an OEM's patching policy.
No, Google isn't done until they can coerce the OEMs to comply; otherwise, they'll still be liable for a vulnerable security practice. It's like leaving the back door open for the vendors and not realizing the same door can be used to stage a heist. A lawyer would be inclined to ask Google why leave something this important to the vendors anyway? And Google has ways to coerce compliance: not the least of which is a threat to withdraw the company from inclusion in further Android updates including Android N, and given that the Play Store is pretty much expected of every Android device and there's no viable alternative on the market (the only OS that can keep up with Android is iOS, which Apple keeps close to the vest. WiMo? HA!) it becomes basically becomes "batten down or bail out".
"It is up to customers to vote with their feet and just walk away if they don't like an OEM's patching policy"
Really? What percentage of Android consumers do you think are honestly tech-savvy enough to even know what a patching policy is, let alone have any idea before purchase about their vendor's policy?
None. Or as close to none as makes a rounding error.
Google should be ensuring compliance from end to end as part of their CTS and play store policy.
Why not just download and flash the update? Doesn't invalidate your warranty, doesn't need you to root the tablet, and is very easy. The update file you need and the instructions are here: http://www.androidpolice.com/2015/10/15/flash-all-the-things-android-6-0-marshmallow-nexus-ota-roundup/
This post has been deleted by its author
I understand the SD card point, but replacement batteries?
Really?
External USB batteries are so much more convenient - they are potentially much larger, they can be charged directly, and you don't have to power down the phone or fiddle with the case to use them.
No, external USB batteries are far more inconvenient. I haven't seen any with a USB cable longer than a couple inches, so you put your phone in a cradle in your car, and usually you end up with the external battery waving in the breeze and falling off.
I'm not so much concerned with the lack of charge than I am about the need to service them without having to void warranty or take it to an expensive specialist. I'm used to being able to switch out batteries when they wear out (and they do eventually, be they lead acid or alkaline, NiCd or LiPoly). I recently did this on my S4 and now it'll keep me going for quite a while longer.
PS. I DO use external batteries when working life is an issue (ex. a long bus ride). If you don't like the length of the cable the external battery gives you, just use the one that came with your phone, which is usually designed to plug into a wall adapter or the computer so should be a at least a meter long.
The problem is, by releasing the fix it allows the bad guys to examine the changes and figure out how to craft an exploit. Obviously that's the case anytime Microsoft fixes a previously undiscovered hole, but all Windows users have the option to upgrade if they want. Most Android users don't, so all Google can really is "no one was using this for attacks at the time" but someone will now that Google just told everyone about it.
Not suggesting they shouldn't fix them, of course they should, but it just exacerbates the problem for those who will never see the patch because Google effectively made the exploit public.
In January I'll be switching to ios.
Android security is a joke, I'm using a Samsung and apparently they won't be giving me an update to mm.
Yes it's rooted and I can flash cm but why should I have too?
I really think Google need to get their shit together and roll out updates like apple do if they want to be taken seriously.
The real problem is that most users will never know that they have been pwned,and simply think their phone has turned into a POS. Then go buy another phone from an OEM that does security as an afterthought.
The solution is to force OEMs and carriers to stop loading bloatware that needs an update from the factory,and let Google update the OS directly. Their theme s and skins can be separated out.
But then,they both would not be able to collect as much information to sell. And the chapters needs to be uninstallable.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
