back to article Got a Nexus? Google has five critical Android security fixes for you

Google has fixed 12 security bugs in its Android source code – including five that would allow miscreants to achieve remote code execution or root access. The Mountain View giant said its January Android security update includes patches for five CVE-listed security vulnerabilities it rates as "critical" risks, two considered " …

  1. Kraggy

    Just another example of why anyone who chooses to use an Android phone is bonkers if they don't use a Nexus .. I love my Samsung Note II but it's never been updated so I'm in the process of switching to an iPhone 6s.

    1. This post has been deleted by its author

    2. Mr.Bill

      ignorant

      I don't know if I'd say bonkers, just ignorant. I agree in theory as a tech geek but after all these years I am really just unaware of any users of at least "first world" android based phones that have suffered at all. If for no other reasons than people seem to keep their phones for < 2 years and their more multilayered security vs Windows PCs for example, have a way larger attack surface, and legacy usage issues, such as admin by default and no vetted "app store". I think most of the vulnerabilities in phones just aren't practically exploitable in a significant way. The real security issue these days is these servers that are getting hacked.

    3. JeffyPoooh Silver badge
      Pint

      My Nexus 7 tablet is safe...

      It's so hobbled by the Google Nexus 7 tablet flash memory issue that any hacker would get bored waiting for it to respond, then it would hang up entirely.

      Incompetent coder drones at Google. Useless.

      1. Steve Evans

        Re: My Nexus 7 tablet is safe...

        Actually JeffyPoooh, the flash issue on the 2012 Nexus 7 is a hardware problem...

    4. Anonymous Coward
      Anonymous Coward

      Well my nexus5x is already updated to Jan 1st 2016 patch level...

      What make you think iphone is anymore secure? Becuase apple said so? Or becuase its twice the price and half as good, so it must be.,.

      1. Barry Mahon

        Wel bully for you. My Nexus 9 still says the security update is 2015 and the update says it was checked this morning

    5. Charlie Clark Silver badge

      Just another example of why anyone who chooses to use an Android phone is bonkers

      Actually, it's just an example of product liability legislation not being properly applied. Companies like Samsung would certainly up the game if they had a few legal cases to deal with. Of course, you're out of luck with your Note II (long out of warranty) but you should be able to stick CM on it without too many problems: a friend of mine keeps his Galaxy II alive with it. Still, if you've got the cash to splurge on an IPhone 6s, then good for you.

      Apple does have a justly good reputation for providing updates for all its handsets at once. But this isn't to say that it doesn't leave them exposed to flaws for long periods of time (the IOS 9 release notes indicated some glaring holes) and anecdotal evidence suggests that IOS updates are also used to encourage hardware updates.

    6. normal1

      I have the Nexus 5; will NEVER buy another Google phone.

      After the latest over the air updates my phone will not come out of sleep mode without a reboot.

      I can make calls but cannot receive calls till I get a new phone.

      Will NOT be a Google phone unless there are major changes.

      LG phones are never reliable, why on Earth did Google chose LG for a Nexus phone?

  2. jonnycando
    WTF?

    I hope

    Cyanogemod has already pushed out the fixes, but if not I do check out every nightly build that comes my way.

    1. asdf Silver badge

      Re: I hope

      Flashing nighties is just the ticket for granny to stay safe lol. No wonder Apple is the only company making money in handset manufacturing.

      1. Mr.Bill

        Re: I hope

        Yeah, I'm sure all the teens who seem to be 95% iPhones are buying them based on concerns of prompt security updates.

  3. Anonymous Coward
    Anonymous Coward

    patches

    I have a t-mobile galaxy s6 and that has had 6 updates since it came out, with no publicly known vulnerabilities (as of a few days ago anyway). I also have a Note 3 with cyanogenmod that I update monthly with the latest nightly build, which always contains the AOSP patches. So, its hard to say that only Nexus phones are updated promptly. Apple even sits on a bunch of bugs/vulns for a while and then does a release here and there.

    1. asdf Silver badge

      Re: patches

      After Android shit the bed by the baddies being able to root your phone with an MMS its not even worth comparing the two security wise. Root with an MMS lmfao. With holes that big why bother writing malware? I bet a majority of android devices are still vulnerable even to this day.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: patches

        You seem to be one of the few person with superpowers able to actually assure us of the absence of (any further) bugs in "gated community for your convenience" Apple gear?

        Or else your trolling is on 4chan level.

        1. asdf Silver badge

          Re: patches

          Apple have a very strong financial incentive to not give root to either the baddies or their customers lol.

      2. Nunyabiznes

        Re: patches

        EDIT:

        @ASDF "I bet a majority of android devices are still vulnerable even to this day."

        Since my provider isn't pushing updates to my Android phones, you would be right. I'll have to root or upgrade soon just to update my phone. I won't be getting another Android based phone, not because they aren't fit for purpose, but because providers won't push updates to phones they sold.

        1. Shadow Systems Silver badge

          @Nunyabiznes, re Patches.

          Spot on.

          Even if the manufacturer is on the ball & creates updates to their devices, the carrier (I'm looking at you Verizon) may never push it out OTA to our handsets. If the carrier can't be bothered to provide security updates in a timely manner, then either we void the warranty by rooting it & upgrading manually, or we buy a brand new device with the latest OS that's available at the time.

          I've decided that I will no longer be a Verizon Victim & will be switching just as soon as I'm no longer in peril of being raped to death by early termination fees. Hell, even *APPLE* updates more often than Verizon!

          1. Steve Evans

            Re: @Nunyabiznes, re Patches.

            I'm so glad we don't seem to have carrier crippling here in the UK... Did about 10 years back with Nokia Symbian phones. Most of those *never* received an update unless you knew how to change their model number to generic Euro.

            I jumped to an Android HTC, quickly leant how bad OEMs are at support and updates and have been Nexus ever since.

        2. Anonymous Coward
          Anonymous Coward

          Re: patches

          So a nexus is out of the question? 3 year patch guarantee.

          1. asdf Silver badge

            Re: patches

            Nexus comes with Gapps by default. Requires a google account to activate too if I remember right.

            1. Preston Munchensonton
              FAIL

              Re: patches

              Nexus comes with Gapps by default. Requires a google account to activate too if I remember right.

              You don't remember right.

        3. Captain Scarlet Silver badge

          Re: patches

          If your provider is the issue then don't buy from them.

      3. asdf Silver badge

        Re: patches

        The one thing that can be said for Android is the ability to be able to go completely open source with F-Droid is its one big advantage over iOS. But that generally requires voiding the warranty and does require frequent rom flashing (to get latest patches, etc) and is not really an option for a non nerd. Still its perfect for a non-work spare older mobile. Android under warranty is a sucker's bet. Better to ebay an unlocked Android or get an iPhone under warranty.

        1. asdf Silver badge

          Re: patches

          Android under warranty is a double sucker's bet because you are almost always stuck without recourse to all of Google's lovely spyware Trojan horse software. Best part of cyanogenmod is telling Google Hangouts to fuck off proper and not even having a frigging google account on the phone leaking out your privacy.

          1. Anonymous Coward
            Anonymous Coward

            Re: patches

            proof of the trojan spyware? You are saying its baked into AOSP - what line of what file can I see it? Or is it a collaboration with samsung? Why would samsung allow it - they sell hardware, not data. Does cyanogen know about it?

            1. asdf Silver badge

              Re: patches

              Who offers AOSP under warranty? Perhaps Amazon offers Android without GApps forced on you under warranty but it will just be replaced with their privacy busting apps. Samsung apps are just as bad except according to the eStar app put out by those Purdue researchers its apps drain the batteries far worse than Google's.

  4. Anonymous Coward
    Anonymous Coward

    But who had the most CVE vulnerabilities last year.

    Surprisingly, in only 2nd was Microsoft.

    In 1st place was Apple

    sssshhhhhhhhhh

    1. asdf Silver badge

      Re: But who had the most CVE vulnerabilities last year.

      CVE counts tend to relate more to what platform security researchers are paying attention too as opposed to the security of said platform. Was Android included? That would be my guess of number one OS wise considering the raw number of devices running it world wide.

      1. DougS Silver badge

        Re: But who had the most CVE vulnerabilities last year.

        A CVE ranking by vendor wouldn't include "Android". I suppose Google's would include it but Apple's include OS X, TV OS (the iOS for the Apple TV) and so forth so vulnerabilities in common code may be counted multiple times. Microsoft may suffer from that as well for i.e. vulnerabilities that affect Windows 7, 8, and 10 since those are considered separate products.

    2. Anonymous Coward
      Anonymous Coward

      Re: But who had the most CVE vulnerabilities last year.

      Hang on! I read the comments under the article yesterday that said MS didn't have the most CVEs last year and we were all agreed that counting CVEs was a pointless exercise that showed nothing about a platform's security....

      Where were you? Running your nightly cyanogen update?

  5. mathew42
    Mushroom

    Carriers blocking updates?

    I have a nice shiney Moto X Style. Unfortunately it doesn't have Marshmellow because Vodafone (only seller in Australia) have seen fit to block the update until they've validated it, regardless of the fact that the phone isn't connected to Vodafone. Previously Telstra blocked updates to the Nexus 6.

    My only option is to flash the firmware from another country and copy the correct modem files.

    The worst part is that I tend to use phones and tablets for more risky activities (e.g. connecting to public wifi) so security updates are even more important.

    1. phuzz Silver badge

      Re: Carriers blocking updates?

      You shouldn't need to flash the modem files that often, certainly not every time you flash the ROM.

      I think I've only had to upgrade the actual, low-level, firmware once on my phone, whilst sometimes flashing Cyanogenmod daily.

  6. Richard Jukes

    You guys are behind the times. People no longer care. It's a phone. It works. If you get hacked then you get a new phone and or take it back to the shop and if they get your card details the banks refund you.

    That's how most people think. Privacy? Its just a phone!

    It's shocking isn't it? But hey here in 1984 people love it...

    1. abedarts

      Agree

      Totally agree, it's so old woman-ish all this hand wringing about security.

      I've got more important things to worry about, like someone stealing the gas canister out of my caravan.

  7. Robert Helpmann?? Silver badge
    Childcatcher

    Other Countries?

    I am familiar with the situation here in the US concerning carriers not providing support and have read about the same in the UK. How does this issue play out elsewhere? How about Japan, Korea or continental Europe?

  8. Kevin McMurtrie Silver badge

    Third party ROMs sometimes have patches before the Nexus line. The key here is to not buy phones with permanently locked bootloaders.

    As for the Moto X Pure - boot without a SIM card and it becomes pure again.

    1. Bitsmith

      Ordinary end users simply don't care and in the real world the chances of them getting hacked are vanishingly small. The only thing that would make them sit up and take notice would be something akin to a mass effect Android worm that bricks tens of millions of devices.

      The only people flashing ROMs are us techies and even then I'd wager it's a small percentage of the technically savvy folks. Third party ROMs are not the answer. There needs to be a commercially viable incentive for Android vendors to update - ideally one that bypasses the Telcos entirely - and I can't see that happening.

  9. Richard Lloyd

    Nexus or CyanogenMod - only 2 choices

    If you're non-techie and concerned about security (which you should always be!), then the Nexus range is pretty well the only sensible Android choice. If you are techie, then it's either Nexus or a device that has CyanogenMod support (Nexus can run CM of course, which is what I do on my Nexus devices).

    At least Google is actually releasing monthly security updates now, which puts a little pressure on OEMs/carriers to up their game with similarly scheduled updates. The fact that you can see the security patch level month in "Settings -> About device" helps as well.

    1. dotdavid

      Re: Nexus or CyanogenMod - only 2 choices

      Not strictly speaking true - Motorola are still reasonably good with security patches, at least for their current generation handsets, although who knows how long this will last under the ownership of Lenovo.

      1. Anonymous Coward
        Anonymous Coward

        Re: Nexus or CyanogenMod - only 2 choices

        I suppose 'good' insofar that Motorola *are* patching stuff (compared to other manufacturers abandoning phones), but it's being done very slowly compared to pre-Lenovo ownership.

        My X took months to receive a Stagefright patch, despite announcement of said fix waaay back.

  10. Zog_but_not_the_first Silver badge
    Facepalm

    Limits of exposure

    Assuming the phone is hacked, what do the miscreants get? Contact lists, rambling texts and dozens of poorly composed photos mostly.

    Of course, you're not using your phone for financial transactions, are you?

    1. Nigel 11

      Re: Limits of exposure

      Of course, you're not using your phone for financial transactions, are you?

      Or for conducting an extramarital affair? Or for internet dating before you tell your soon-to-be-ex? Or for looking at naughty videos that your employer would not approve of? Because there are criminals called blackmailers and some of them will be tech-savvy.

      1. Intractable Potsherd Silver badge

        Re: Limits of exposure

        I don't use my phone for financial stuff, extra- (or intra-) marital affairs, internet dating, or watching naughty videos. I do use it for calling and texting people, email and occasionally reading websites, weather reports, making shopping lists and reminders, and as an alarm clock. Occasionally I use the GPS and mapping. Am I odd?

        1. Anonymous Coward
          Anonymous Coward

          Re: Limits of exposure

          Am I odd?

          I don't know, but if you'd asked "Am I old?" then your reported usage seems to point to an affirmative answer.

  11. dotdavid

    If Google aren't working on a way of being able to patch handsets irrespective of OEMs and carriers in Android O then they're being incredibly dumb IMHO.

    It is encouraging to see that other Android variants (Android TV, Android Auto, Android Wear) get their updates straight from Google - perhaps that is the long term plan but it can't come soon enough.

  12. Chronos Silver badge

    Brother Maynard

    ...lobbest thou thy MMS of Antioch toward Android 'phones which, being naughty in my sight, shall snuff it.

    We need a Holy Hand Grenade icon.

    /me sods off to check the CM repo for fixes

  13. Quortney Fortensplibe
    Thumb Down

    Catch-22

    With Marshmallow, Google has made rooting the device a lot harder, as system integrity is checked at boot time. Luckily the clever Mr. Chainfire has managed to come up with a systemless root to get around this.

    Unfortunately these new checks mean you have to return your rooted device to stock recovery before attempting to apply or manually flash any Android updates. There have also been reports of devices boot-looping after applying updates, if the user has previously disabled any of the built-in Google bloatware.

    So, on the one hand, Google releases timely security patches, but on the other, they make it increasingly harder for the end user to apply these patches to a rooted device [or to root the device in the first place], or to a device where the Google bloatware/spyware crap has been disabled.

    And, to pre-empt the inevitable "people who root only do it so they can run dodgy software" remark, I root my Android devices for one reason only: so I can use the excellent Ad-Away to customise my hosts file and block advertising and spyware [which is potentially a far bigger security threat than many of the ones these patches address].

    So, there's the Catch-22: Do you wait [possibly in vain] for your device manufacturer or carrier to get around to rolling out these patches, or do you root the device so you can do the job yourself today —knowing that increasingly the "vulnerabilities" these patches are addressing are the very ones which allow you to root your device and apply timely security patches in the first place?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019