back to article Google proffers plugs in Android MMS pwnfest

Google has slung a new set of patches at the vulnerability hub that is Android media processing, fixing four critical flaws and 10 high-severity bugs. The vulnerabilities could allow user phones to be compromised through a variety of means including MMS, email, and following web links. Nexus users get the fixes first along …

  1. dervheid

    Be more impressed...

    When they fix the clusterfuck they made of Bluetooth with the last update...

    1. fuzzie

      Re: Be more impressed...

      *sigh* It appears to be a recurring theme even between minor versions. The wailing and gnashing of teeth appears to be constant between now-it-works-for-me and now-it's-broken-for-me, especially with relation to car kits.

      I want a Bluetooth-capable unit for my (slightly aging car), but don't fancy it variously working or not depending on the minor release cycle. A friend's keeping his Nexus 3 with Android 4.3 as "bridge", since that's the last version that worked with his car (major luxury german brand OEM)'s head unit.

      1. dervheid

        Re: Be more impressed...

        Yup, Nexus forums awash with this one, looks like just about every car manufacturer affected.

        Had some direct exchange with google, proffering the usual 'solutions', including Factory Reset (which doesn't reset the device to KitKat, so not a lot of use...) concluding in a distinct washing their hands of it.

        Really pissed at having spent a shitload of cash on their 'flagship' device to have them piss all over one of the major functions (for me anyway).

        certainly not inclined to spend my hard-earned with them next time round, but unless someone comes up with a better alternative that isn't apple or microsoft...

  2. PJF

    ,or never,

    That's about right...

    Still running 4.something

    on a Samsung Gal.5 on Sprint in the US

    Gave up after 4.4 that almost bricked it - now on Cy...

    1. Adam 52 Silver badge

      Re: ,or never,

      As an aside the most recent update (about two weeks ago on 3 in the UK) to the s5 seems to have fixed the Android 5 update which, like you say, pretty much bricked the phone.

      The Android industry really does need to fix this slow to never and unreliable update problem, other branches of IT manage it. Microsoft used to be good until they started abusing the trust and Debian haven't broken anything for years. Speed of patching is now one of my purchasing decisions when buying a phone.

      1. Anonymous Coward
        Anonymous Coward

        Re: ,or never,

        My cheap as chips Winphone got updated (no not to 10) last night. Not just a bug fix either as my 4G has gone from 30mbs download to 89...yippeee.

        3rd major update in a year.

        My Samsung droid....well if I get off 4.0, I'll let you know.

        1. sabroni Silver badge
          Windows

          Re: my 4G has gone from 30mbs download to 89

          Presumably with a corresponding boost in uploading your personal info to MS.

          1. TheVogon Silver badge

            Re: my 4G has gone from 30mbs download to 89

            "Presumably with a corresponding boost in uploading your personal info to MS"

            But presumably still way behind Google in that regard.

            1. sabroni Silver badge
              Thumb Up

              Re: But presumably still way behind Google in that regard.

              Windows phone + browser = best of both worlds!!!

              1. Anonymous Coward
                Anonymous Coward

                Re: But presumably still way behind Google in that regard.

                "Windows phone + browser = best of both worlds!!!"

                Well yes - no spyware on Windows Phone - or Edge - unlike with Google Android / Chrome. And Edge is faster than Chrome, and Windows Phone is faster and smoother (and far more secure!) than Android.

      2. Anonymous Coward
        Anonymous Coward

        Re: ,or never,

        The Android industry really does need to fix this slow to never and unreliable update problem

        It certainly does!

        But the trouble is, they don't need to! 95%[0] of phone users don't care about this. Making matters worse, they've been burned too many times with updates on the desktop, that they don't even want it.

        Until the masses start voting with their wallets, the manufacturers/carriers aren't going to waste their time updating their stuff.

        I wouldn't mind, but the fixes are already made for them, and they don't even have to develop the OS!

        Google really need to clamp down on this.

        [0] That number was pulled out my arse

        1. DougS Silver badge

          "95% of phone users don't care about [updates]"

          I agree with AC, and think the same is probably true for iPhone users despite the large uptake on updates. I have an iPhone and appreciate the regular updates that last five years or so after the phone is introduced, but fixing security holes is pretty invisible to the typical user. While iPhone users update in large numbers, it is because they will hear about some new feature like Apple Music. When there's a x.y.z point release that just fixes a few bugs it I doubt it gets much attention beyond people who update just to get rid of that little red "1" on the Settings app...

          I think it would take a severe security issue (one that is being exploited in fairly large numbers that is hard to defend yourself against via simply being careful) before the masses really appreciated the difference in the speed of updates and support life of devices for iPhone over Android. Even then those who go for the less expensive devices might think to themselves "I can buy a $150 Android or $650 iPhone, and if there's a security issue I can always "update" by buying a brand new $150 Android and still come out ahead". That's not exactly a strategy that Android OEMs would have a problem with, so you can see why there's little incentive for them to change their behavior.

          FWIW, while writing this I wondered if iOS 9.2 was out and found it had just been released this morning. Just finished updating while writing this :)

    2. big_D Silver badge

      Re: ,or never,

      Manufacturers and providers are going to have to realise that smartphones are no different to any other personal computing device and need security updates provided as and when they become available. If they tried this in the Windows world, there would be an uproar.

      The core OS should come form AOSP or Google directly and be patched directly. The provider and manufacturer should have no say in this level of security patches, they should only be responsible for their "value add".

      1. Boothy

        Re: ,or never,

        The Android OS should be more like ChromeOS, the same OS irrespective of the devices origin.

        You could then do the 'value add', by a simple 'branding on boot' process.

        The 'branding' could be a simple zip file containing things like...

        * wallpapers

        * notification audio files

        * manufacturers apps

        * Bookmarks

        * Device drivers

        * Custom settings, including setting defaults, (i.e. use this background/ringtone/home page/app etc).

        On first boot (or after a factory reset), the OS simply looks for a 'branding' file (or files). If there isn't one, you get a stock Android, (aka Nexus), if one exists, then during initial boot up, the branding items are applied.

        Edit:

        Forgot to mention, of course OS updates should be OTA and direct from Google, only the branding component would be produced by the Manufacturer/Carrier, and even then, generated via tools provided by Google.

      2. fuzzie

        Re: ,or never,

        Google's been actively moving away from that model by incorporating more and more into Play Services, to the point where I'd argue that AOSP is becoming irrelevant for much more than the kernel and HAL.

        The baseband stuff should be spun out so they can do base OS/firmware updates without requiring re-certification every time. The latter is a barrel full of pain that they push onto the OEMs and that significantly extent the shortest possible patch cycle.

  3. Jess

    Android does seem a bit of a mess

    I don't understand why they didn't simply push out a new messaging system without the bug from the play store. (Even if some need to manually install it).

    I recently discovered that android phones alarm won't work from off. WTF? (The same flaw is my main gripe with BB10, every phone I have used before did it.)

    1. sabroni Silver badge

      Re: android phone's alarm won't work from off.

      When I switch my phone off, I want it to turn off. Sounds like you want an alarm clock.

    2. Michael Wojcik Silver badge

      Re: Android does seem a bit of a mess

      I don't understand why they didn't simply push out a new messaging system without the bug from the play store.

      The bug isn't in the messaging system - it's in Stagefright, the rendering engine for various types of media. It's just easy to exploit automatically through MMS clients that auto-preview media.

      I suppose Google could have put Yet Another MMS client in the Store, without auto-preview. But since you can turn that feature off in most or all clients, there isn't really much point.

      And Stagefright (and other core components) can't be updated through the Store.

  4. RyokuMas Silver badge
    FAIL

    Wow...

    "Google has slung a new set of patches at the vulnerability hub that is Android media processing, fixing four critical flaws and 10 high-severity bugs."

    Substitute "Microsoft" for "Google" and "Android" for "Windows" and I'd swear we were back in the early 2000s with that opening line... those who do not learn from history...

  5. Anonymous Coward
    Anonymous Coward

    Already running it

    Android 6.01

    Patch level Dec 1st 2015

    Don't really see what this nonsense about android devices not getting updates is all about. My Nexus is as well supported as anything apple makes (and more functional)

    Guess its just a lazy reporting bandwagon to jump aboard, as I know the other big android are committed to monthly ota updates, Samsung, Sony, HTC LG and the like.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't really see what this nonsense about android devices not getting updates is all about.

      A minutes googling would show you that the vast majority of Android handsets run old versions and don't get patches. 40% on 4.4 or lower, another 40% on 4.4.

      It would appear the nonsense is your mistaken belief that Android devices get patches.

      But then "Google is taking the lead on revitalising the patching pipeline for the Android ecosystem". About 6 years too late.....

    2. fuzzie

      Re: Already running it

      The other Nexus owners who've been dropped off the upgrade list might disagree with you on that.

  6. David Roberts Silver badge

    Show me the risk

    Family has a Galaxy S3 and S4. Well out of date and updates, but so far we haven't apparently been ripped apart by hackers .

    So what is the real risk of bad things happening to the average Joe? Or do you have to root your handset, sideload software and visit dodgy sites before you get attacked?

    1. Michael Wojcik Silver badge

      Re: Show me the risk

      So what is the real risk of bad things happening to the average Joe?

      Impossible to estimate. Given the number of Android devices out there, I suppose it's not hugely likely that you'll get attacked randomly via MMS or any other relatively expensive vector. On the other hand, the Stagefright issues can be exploited via email and web, too, if you attempt to render multimedia content delivered over those media (or any other).

      MMS is the traditional vector for discussions of Stagefright because many MMS clients default to auto-preview, which means they're vulnerable by default - no user action (or, at most, viewing the message) is required.

      On the other hand, if any of you manage to piss off someone who's both knowledgeable and immoral...

      Or do you have to root your handset, sideload software and visit dodgy sites before you get attacked?

      No. All you have to do is attempt to render malicious media, which can arrive by any number of means. A standard Android device with a sufficiently old version of the OS is vulnerable out of the box.

      If you have a phone configured to preview media in MMS messages without being unlocked (assuming that's possible - I know some clients can be configured to preview at least the text portion without being unlocked), it should be possible to take it over without even unlocking it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019