Sign in / up

back to article Google emits three sets of Android patches to fend off evil texts, files

It's a smaller-than-usual Android patch bundle from Google – just 47 patches for 57 flaws. These software bugs can be exploited by installed apps or malicious code smuggled in multimedia messages and files to gain total control of vulnerable phones, tablets, internet-connected fridges and other Android gadgets – allowing …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. JeffyPoooh
    Pint

    When I were a wee lad, data was data and code was code.

    It just seems monumentally daft that modern computers will mindlessly overflow their buffers, naively accept malformed headers, happily find something to execute under any door mat.

    Hey coder drones. You're doing it wrong.

    6 3 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: When I were a wee lad, data was data and code was code.

      So how do you do a JIT compile, where data is necessarily code and code is necessarily data? Harvard architectures can't do a JIT compile, which is a necessary speed boost sometimes.

      PS. Turing's Halting Problem proof relies on a similar view that code is data and data is code. Because in the end, how else can you compile things unless you realize this?

      0 1 Reply
      1. MacroRodent
        Reply Icon

        Re: When I were a wee lad, data was data and code was code.

        > So how do you do a JIT compile, where data is necessarily code and code is necessarily data? Harvard architectures can't do a JIT compile, which is a necessary speed boost sometimes.

        Compile the code as data to a page (or pages) marked non-executable, then change the protection to execute-only. Arrange things so that the compiler is the only application that can change the page protection bits this way, and that it will compile only data that has been originally loaded from valid bytecode files (use checksums for example). This also requires that the CPU refuses to execute anything from a writable page. Perhaps not foolproof, but should make it much harder for malware to write stuff to a data page at run-time and then execute it.

        1 0 Reply
      2. JeffyPoooh
        Reply Icon
        Pint

        Re: When I were a wee lad, data was data and code was code.

        @AC

        A wise person wrote: "WTF A mobile OS can still be powned by a malformed text? In 2016!"

        Like seriously. They're doing it wrong.

        0 2 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: When I were a wee lad, data was data and code was code.

      Every month they patch more holes that allow an MMS sent to the phone to execute code. Eventually there's going to be a huge exploit of this, where the remote code grabs your contact list and sends more MMS messages to your contacts to infect them. Even with some minority of Android phones patched by then, that will still leave a billion or so vulnerable devices worldwide that could be owned within a couple days.

      4 0 Reply
  2. Barry Rueger

    Imaginary Bugfixes

    As far as I can recall, my Motorola phone has seen one major upgrade (to Lollipop) and one lesser bug fix update - maybe six months ago.

    I highly doubt that I'll see any other system upgrade, either major or minor.

    The whole Android concept, where end users are at the mercy of device manufacturers and carriers, is insane.

    11 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Imaginary Bugfixes

      What you aren't being told, android is very secure anyway. (Sorry if this doesn't fit the agenda). There is a mitigation at the bottom of the security bulletin that gets ignored.

      "Android and Google service mitigations"

      ASLR, app scanning and other mitigations mean that even if you are stupid enough to disable device security and go shopping on dodgy websites for APK files, even on an old device, Google will still try and look after you. And make sure those billions of older android devices are still malware free.

      3 4 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Imaginary Bugfixes

        Android is "very secure"? Well, ignoring the ability for someone to send you an MMS that executes code on your phone, not to mention similar issues that exist unpatched on many Android devices. How is app scanning and ALSR supposed to mitigate that? It doesn't, which is why the patches for it (third month in a row for different versions of the same exploit, I believe) are marked as critical.

        You've just got your head in the sand, and assume because there hasn't been a widespread malware infestation yet that it must be secure. Didn't Windows fanboys all make the argument about XP's security for the same reason, until stuff like I.Love.You and NIMDA showed that it was more a matter of a hacker lacking the will than the way.

        The main thing preventing such a widespread attack is that they probably haven't figured out how to monetize it effectively. If some old school malware guy who just wants to make a name for himself and see the world burn decides to do, there is nothing Google to do to prevent it since they can patch the issues but they can't deliver the install the fixes to end users.

        Personally I think Android users should root for such a widespread attack, assuming it is one that does no real damage. That might shake up the OEMs and carriers enough to realize that they have to do a better job with patching, at least for the really serious holes. Get that same brand of bad publicity that caused Microsoft to get serious about security back in the 2003-2004 timeframe.

        2 0 Reply
  3. big_D Silver badge

    Still waiting for Nougat on my Nexus 5X...

    0 0 Reply
    1. Real Ale is Best
      Reply Icon

      Likewise for my Nexus 6P :-(

      0 0 Reply
      1. WonkoTheSane
        Reply Icon

        I signed mine up for the beta. It worked throughout, and got the final release on day one.

        0 0 Reply
    2. bazza Silver badge
      Reply Icon

      Seems that the patches are already being rolled out to BlackBerry Priv and DTEK50 mobiles (provided they're factory unlocked): Crackberry article

      Quick work! Not sure when BlackBerry are moving up to Nougat, but they're certainly quick off the mark with updates.

      1 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    WTF

    A mobile OS can still be powned by a malformed text? In 2016!

    5 2 Reply
    1. bazza Silver badge
      Reply Icon

      Re: WTF

      Sigh, yes indeed. And with Android's particularly crummy update ecosystem it guarantees that there's a vast fleet of susceptible mobiles out there for years to come. With such a large proportion of mobiles in, say, the UK being out of date Androids, just simple war-texting (i.e. sending SMSs to random mobile phone numbers) is likely to get a lot of hits economically.

      4 0 Reply
      1. WonkoTheSane
        Reply Icon
        Facepalm

        Re: WTF

        As AC says above:- Blame device manufacturers & carriers for sitting on the patches incase they break the pre-installed bloatware.

        1 1 Reply
    2. Planty Bronze badge
      Reply Icon
      Stop

      Re: WTF

      No, stop confusing potential exploits with real exploits.

      0 0 Reply
  5. Steve Davies 3 Silver badge

    One of the errors is from 2013

    and marked 'Critical'.

    Has it really taken them 3 years to fix this?

    I shudder to think how many devices will have been pawned using this exploit?

    1 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    Blackberry FTW on this one

    yep, update was waiting for me this morning.

    not subscribed to any beta whatsoever even.

    1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like