back to article Google prepares 47 Android bug fixes, ten of them rated Critical

Google has teased 47 Android patches for Nexus and Pixel devices. Among the critical bugs in the Android Security Bulletin, five concern the media framework, one is system-level, four hit Qualcomm components. The worst, Google said, is one of the media framework bugs, not yet fully disclosed, but it “could enable a remote …

Silver badge

As any consumer rights fule noes: a low price is not an excuse for not meeting statutory requirements which in this case means providing relevant software updates.

However, what we are seeing is a failure of the regulatory authorities to enforce the relevant consumer protection laws. This is, unfortunately, typical for software.

3
0
Bronze badge

Androids Media Framework and Qualcomm chipset seem to be the new Flash Player or Acrobat when it comes to exploitable vulnerabilities.

No doubt we will see more vulnerabilities in those areas on a regular basis.

4
1

Apple don't disclose what they fix monthly in their low level hardware libraries, so it's really an unfair comparison.

0
4
Bronze badge
Facepalm

I wasn't comparing Android and Apple. The comparison was between buggy software that keeps giving exploits month after month.

Step off that horse carefully, it's a bit high....

1
0
Silver badge

Apple files a CVE for every security bug they fix in iOS. Just because Apple doesn't have a constant flow of bugs that allow an attacker to p0wn your device via MMS doesn't mean they're hiding such bugs. But if it takes you feel better about Android's failings to play whataboutism with iOS, be my guest.

Everyone has their weak point, Google's seems to be their media framework (though maybe Qualcomm takes a lot of blame there) Apparently Apple's is dates (still trying to figure out how you have a bug that hits at such a random time as 12:15am on Dec. 2...)

2
0
Anonymous Coward

" The comparison was between buggy software that keeps giving exploits month after month."

Nope, the clickbait writers at El_Reg have a free story every month. Apple never disclose what they fix behind closed doors. Given they use many of the same chips in their products, it's HIGHLY likely they are also integrating updated vendor drivers every month that fix the SAME bugs, they just don't tell you about it, and don't give away a free clickbait story as a press bonus...

0
1
Silver badge
WTF?

More objective reporting from El REg

Apple sprays down bug-ridden iOS 11 with more fixes

"Apple has posted an update to address a host of bugs in its iOS mobile software."

vs

"Google prepares 47 Android bug fixes, ten of them rated Critical"?

"Google has teased 47 Android patches for Nexus and Pixel devices."

The Android security model is fucked. Is there any reason you couldn't do the equivalent of apt-get update and pull down whatever updates are relevant to either your crappy £100 no-name mobe or your £700 Google flagship phone?

4
2
Anonymous Coward

Re: More objective reporting from El REg

You do, you go to the Google Play store, and press Update All.

Come on, this isn't idiot class. That's to equivalent of Apple updating it's Calculator and Keyboards bugs.

0
9
Silver badge
Facepalm

Re: More objective reporting from El REg

@AC:"You do, you go to the Google Play store, and press Update All."

That updates your phone to Android 8.0 with the latest hotfixes, does it?

The Play Store updates your apps, you friggin halfwit.

I'm talking about the software that runs your phone. Back to idiot class for you I'm afraid...

7
3
Silver badge

Re: More objective reporting from El REg

The Android security model is fucked.

It's not without its problems but the evidence suggests that it's doing quite well: still waiting for something like Wanna Cry for phones.

All the modern phone OS do a fairly good job of something that is not that easy. They've had lots of examples of how not to do things and have indeed learnt from them.

1
1
Silver badge

Re: More objective reporting from El REg

"It's not without its problems but the evidence suggests that it's doing quite well: still waiting for something like Wanna Cry for phones."

The largest share of Android phones today (31%) are running Android 6.0.

Depending on whether you're running 6.0 or 6.0.1, you're looking at between 493 and 640 vulnerabilities which haven't been, or might never be patched. I won't even get into that bunch of CIA hacks for Android that showed up on Wikileaks earlier this year.

Still waiting for something like Wannacry? How about DoubleLocker? The Reg reported on it back in October.

2
1
Silver badge

old version !== vulnerable

I'm running 6.0.1 but still get periodic security patches; I've had several this year.

1
0
Silver badge

'Wannacry' for phones

The main reason you haven't seen it yet is because attackers haven't figured out a way to monetize a mass attack on phones. The days of hacks "for the lulz" are mostly gone, because it is now considered a serious crime.

PC malware is almost totally monetized now - either it sends spam, fake clicks ads, or more recently asks for ransom. Anything you do to a phone that causes battery life to take a shit will probably result in the phone being trashed and replaced - which would also be the fate of phones that got ransomware. It wasn't individuals ponying up the ransom for Wannacry, it was businesses and public institutions that incur real costs from it and figured paying the ransom was the cheaper alternative. That doesn't apply for phones.

0
0
Silver badge

Re: old version !== vulnerable

@Brewster's Angle Grinder:"old version !== vulnerable"

Ok. Check that link I posted to cvedetails.com in the post above - 6.0.1 has shitloads of vulnerabilities - how can you be sure your periodic updates have you covered?

0
1
Silver badge

Re: 'Wannacry' for phones

@DougS:"It wasn't individuals ponying up the ransom for Wannacry, it was businesses and public institutions that incur real costs from it and figured paying the ransom was the cheaper alternative. That doesn't apply for phones."

Watch the Eset video of DoubleLocker in action. The ransom was something like 40 or 50 quid.

How many people would happily pay that to get back all those photos of their kids that they've never backed up? Could be a good business model...

0
1
Anonymous Coward

Re: More objective reporting from El REg

That updates your phone to Android 8.0 with the latest hotfixes, does it?

No of course not. But neither does Apt-Get Update..... #Fail

You also seem to think that you need to be running the latest Android to be running the latest HotFixes, this is another fail. That is totally untrue. Patches go out every month all the way back to KitKit (and possibly beyond). It's hilarious how much fail is in what iOS fan-boys have been told about Android by Apple.

0
2
Facepalm

Overflows? Still?

I don't care about who gets what patch when. I don't care about the advantages or disadvantages of Android or iOS.

I care that any software was every allowed to go into production when it permitted integer or stack overflows.

All software processes should Always test the validity of All data Before processing it.

Please feel free to print that out and epoxy it to your screen. We've (by which I mean users and accomplished programmers (of which I am both)) has enough. And deadlines are not an excuse to propagate system breaking code.

0
1
Silver badge

I'm confused.

Google say they have bugfixes for the OS on my Nexus phone. The OS version gets repeatedly listed.

But nobody is saying anything about whether there will be an update distributed.

Every OS manufacturer stops support for older versions. I can live with that. But I wish there was a bit more clarity about which OS version will get updates on which Nexus phones. Just a clear link to a "supported versions" page would be enough. It looks like the info is on Wikipedia, but I'd rather trust a page provided by Google.

Frankly, this story on The Register has too much of the feel of a press release by somebody who has no stake in the game.

0
0

if there is a update your phone will have patch level of the 5th or 6th of that respective month

like mine is currently november 5th on pixel 2,,, but they did not push the update out for the 6th nov update that fixes the wifi 0000 key that basically makes your secure WP2 traffic basicly unencrypted and injectable (i get that update plus all these security fixes very soon when i get 8.1 in next day or 2 , for 99% of every one else that be in next 6+ months or never unless they get a new phone)

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018