back to article Google splats more bad Android security bugs with patches your mobe will probably never see

Another month, another patching cycle for Android. Google's mobile OS has picked up seven critical patches, ten classed as high priority, and a pair of moderately important fixes. In short, playing back a booby-trapped video or receiving a message with malware hidden in it could lead to malicious code running on a vulnerable …

  1. Smooth Newt
    Unhappy

    The vast majority of Android users aren't going to be getting these updates soon enough, however.

    The vast majority of Android users aren't going to be getting these updates ever. FTFY

    1. asdf Silver badge

      Re: The vast majority of Android users are screwed

      Proving once again apart from perhaps Nexus devices, Android only makes sense bought cheap after the warranty is gone and loaded with custom roms that do get the fixes.

    2. Anonymous Coward
      Anonymous Coward

      Re: The vast majority of Android users aren't going to be getting these updates soon enough

      Sorry, that's bollocks.

      The patches are released for 5.1 and 6.0 and most of my devices already have them, the others are (if last months updates are anything to go by), are due in a couple of weeks.

      I know it's really fashionable to bash Google and Android. Remember when they got bashed for not releasing security updates often enough? Now they do, it's time to twist the argument.

      How many Android users have you ever come across that have ever had any malware or nasties on their device? Me, I see loads of devices, and have NEVER come across a single issue. I also see Windows PC's and it's rare to come across one that's clean...

      Lets stop pretending Android is the new Windows, when it comes to vulnerabilities, it's not.... It has LESS CVE's than iOS.... (which only today had several critical lockscreen bypass bugs... Someone want to tell the FBI???)

      1. Anonymous Coward
        Anonymous Coward

        Re: The vast majority of Android users aren't going to be getting these updates soon enough

        > The patches are released for 5.1 and 6.0 and most of my devices already have them

        My Moto G (1st gen) got 5.1 ages ago, and hasn't had an update since (not even 5.1.1).

        It's still working fine as a phone. It would be a real shame either to bin it, or have to jump through the rooting / modding hoops.

        1. chasil

          Moto G

          I have a 4.4 Moto G with a locked bootloader. I'm hoping that I can Sunshine it soon to S-OFF. Maybe these will help.

      2. Anonymous Coward
        Anonymous Coward

        Re: I also see Windows PC's and it's rare to come across one that's clean...

        Yeah, it's so easy to spot the infected ones, coughing and wheezing, some of them can barely stand. But whenever I see an Android phone it exudes healthiness!

        Don't forget "LESS CVE's than iOS". Because counting them is a great way to judge a platforms security. What's that? Windows has less than Linux? Well, obviously it's not significant then, I was talking about mobile OSs....

      3. Knewbie

        Sorry, that's bollocks...

        So I got a Samsung.

        a S5, precisely a SM-G906S, flagship edition, korean release only, top of the cream S5s ever released.

        And I have Android 5.1. The 2 latest updates have been updates to 5.1. last one mid february.

        I have NOT been able to find a changelog. Or even details on what has been patched.

        I DO have a changelog number, but even a less than casual google search has been unable to give me any details on WHAT exactly was patched.

        So...a comment about "still not as bad as.." is about as usefull as a comment on "Me, I see loads of devices, and have NEVER come across a single issue"... notably because YOU possibly don't really know what's happening and what's hot on the scene. mostly because there is a 99.9% chance that you are a luser like the rest of us.

        On a positive note, you have my model number, and have been informed that I use the latest publicly available firmware. Can you tell me if I am at risk from the CVE's ? no ? me neither...

  2. Snowy Silver badge

    Okay

    The full list of bugs – some reaching as far back as Android 4.4 as well as versions 5 and 6 – are below, but which version of the nexus is getting fixes?

  3. Anonymous Coward
    Anonymous Coward

    BlackBerry pushed out their monthly fix today, I just got it on my Priv.

    1. Lusty

      Who are Blackberry?

    2. Anonymous Coward
      Anonymous Coward

      Yeah, the size of the install base means you're pretty safe anyway....

  4. Bloodbeastterror

    Hype?

    These things are possible but appear to be discovered by lab technicians with no reported incidents in the real world. Just how worried should we be?

    Well, I have a Nexus 6, just patched with the new build, so I'm ok, Jack, but since these things seem to be theoretical, does it really matter?

    Just asking...

    1. Rich 11 Silver badge

      Re: Hype?

      They won't stay theoretical forever.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hype?

      Now they have been published, they will be reversed engineered and then millions upon millions of devices will become vulnerable.

    3. Badvok

      Re: Hype?

      Most are pretty unlikely since they rely on side-loading a malicious application, or receiving dodgy MMS messages (unlikely due to the expense that would be incurred by the sender). Only a couple appear to be exploitable by browser misdirection to a malware site or MITM attacks.

      What is interesting is that quite a few of these are Linux Kernel issues and binary device driver issues which aren't in the strictest sense Android itself and could apply to any device running the same Linux kernel or device drivers.

  5. Jamesit

    I had an update this morning for my BB Priv, Now running Android version 5.1.1 Android security patch level March 1, 2016. does that include this patch?

  6. JeffyPoooh Silver badge
    Pint

    "Good news if you've got a Nexus..."

    Not if it's the original Nexus 7 tablet with the debilitating flash memory design fault. That's never good news. I've got one. It's gone awful. Frustrating P.o.S. Nexus, puh!

    1. choleric

      Re: "Good news if you've got a Nexus..."

      It's not just Nexuses. Any phone that can run cyanogen or equivalent can pick up the newest updates.

      And then there's your OnePluses too.

      It's not all doom and gloom.

    2. Anonymous Coward
      Thumb Down

      Re: "Good news if you've got a Nexus..."

      So flash it to some ROM that does get updates. I've got three 2012 Nexus 7's here that flash to something else here, so what's the big deal? Methinks thou dost protest too much.

      1. JeffyPoooh Silver badge

        Re: "Good news if you've got a Nexus..."

        Reportedly, it's a hardware design fault. Reportedly, it can't be fixed. I don't know why some claim not to see any problem with theirs. Unknown variables, or perhaps they just don't notice.

        It's been widely reported, so it's not just me.

      2. Anonymous Coward
        Meh

        Re: "Good news if you've got a Nexus..."

        "So flash it to some ROM that does get updates."

        But people here keep telling me not to install 3rd party software other than from the play store. If I do it's my own fault if I get attacked.

    3. Anonymous Coward
      Anonymous Coward

      Bad news if you have an LG

      I have Life's Grotty phone, same thing, either you are on the latest version or it cannot contact the server.

      Luckily its a backup phone and soon to be replaced by an iPhone.

      Would never do any banking on the LG (or android for that matter)

      1. jason 7 Silver badge

        Re: Bad news if you have an LG

        My LG G4 has had several security updates since I bought it in September last year. Got one last month in fact.

  7. MrDamage
    Boffin

    active customer exploitation

    The reason there are no reports of "active customer exploitation", is because the customers are passively being exploited. Its hackers/crackers/skiddies who do the active exploitation.

    1. gollux

      Re: active customer exploitation

      Heh, actually read post on a security forum today about an android RAT that the user had on his phone that had been used to siphon money off his bank account. Am expecting to hear more of these as time goes on as passive goes active.

  8. gollux
    Mushroom

    Friends don't let friends...

    Buy android devices that aren't being actively supported by cyanogenmod or similar programs.

    Best fix for any android device that's unsupported is to smack it with a hammer and never buy from that particular manufacturer ever again.

    1. DougS Silver badge

      Re: Friends don't let friends...

      Unless you're going to take on the task of rooting it etc. to install something else, telling your non-techie friends "buy this model because you can install something better on it" is going to get you a glazed over look in return. That's like telling them to buy a particular model of car because it makes replacing the struts an easier DIY project.

      And if do perform that service for them, you will become their tech support for life. Good luck with that.

  9. AndrueC Silver badge
    Unhappy

    Yeah it's a great 'eco system' aint' it? I've had my phone a year. Okay so it's an S3 Neo but that isn't 'ancient'. It's running Kitkat 4.4.2. According to this 4.4.4 was released 18 months ago.

    So I do a check for updates 'You are running the latest version'..

    Great.

    I guess I could through the faff of manually updating but I shouldn't have to.

    1. Nick Ryan Silver badge

      ...and this is exactly why I ditched my old (but just about still working) Samsung phone and got a Nexus. Samsung appear to lost all interest in their devices within 6 months of their release, which coincides with roughly how long it takes them to vomit up their updated software that's already out of date by the time they graciously release it.

      1. Rob Crawford

        Strangely enough my Samsung S4 started getting monthly security updates in October I was fairly happy about that (though they never listed what the update addressed)

        Though that was because EE sent me an S4 that was a standard UK model without all their crap on it, friends with 'official' EE S4 phones never got a thing and only received 2 updates last year.

        If you look at Sammobile it's amazing the difference between carriers when it comes to updates (when I say amazing I actually man shit BTW)

        I swapped to a Nexus 5X in December and am happy about receiving monthly security updates, though I would be happier if EE could actually give me the WiFi calling that they promised the 5X back in September

    2. Charlie Clark Silver badge

      In the EU it's still within the period (two years) of statutory guarantee so you are within your rights to sue Samsung. Contact you local consumer rights body for more information.

      In general, most handset manufacturers have a shocking record when it comes to providing updates. We need more legal cases like that launched recently in the Netherlands.

      We'll only find our rights are respected if we are prepared to assert them.

    3. Sporkinum

      My S3 says last kernel patch was August 2015. You would think they would want to patch older systems as well, though I guess I could try putting CM on it. I have heard there can be issues with my prepaid provider if I do that though.

  10. Anonymous Coward
    Anonymous Coward

    Complaints

    So we complain that Android does not get automatic updates but we complain that Windows 10 DOES !

    I want updates but want to choose which, when and if to update at my choice whichever OS i use.

    Running CM on my 2012 Motorola Razr MAX Android Marshmallow Nightly build 29/02/2016. only 3 google apps. camera, chrome, keyboard.

    windows 7 (no telemerty or get win10 now) but all other updates and security patches

    OSX Snow leopard (out of support but hardware wont take a newer OS)

    iOS ( 7 ) old iPad 2 so don't want it to be SLOOOOOW and don't need fitness or health apps etc and as they are all or nothing ill stay where i am thanks.

    1. DougS Silver badge

      Re: Complaints

      My parents iPad 2 seems just fine to me running iOS 9. I can't do a side by side comparison with all the intervening versions but there's no problem with its performance from my perspective.

      When a new iOS version is released, you typically hear complaints "my old device xx got slower!" but a month or so later when the .1 version is released you hear "my old device xx is faster" so I think they probably don't get a lot of testing on older versions when developing a new iOS release. That's not surprising - you'd expect Apple employees, developers and the public interested enough to beta test to be likely to have newer hardware. After release when it gets installed on them Apple will investigate the specific complaints and resolve them in the updates.

      So the solution is to probably hold off on updating a bit if you have older hardware, and hit the .1 release or even .2 if you want to be sure.

  11. oneeye

    Insanity and Stupendous Stupidity !

    It's simple, vendors should be forced to request access to patches instead of just posting them for everyone. I mean, who else needs access but those who intend to push updates. This is ridiculous.

  12. En_croute

    Cheesy metaphor

    Most Swiss cheeses don't have any holes - Tilsit or Emmental do - which while popular, do not represent the wide range of cheeses available....#coatplease #thesmellyone

  13. Nicko

    I'm all right, Jack!

    Bought a Nexus 5X a few months back - used to have an Samsung SIII - last full update was 1st Feb. It isn't seeing these new updates just yet. 30 quid up front plus agreeing to sign up for another two years with O2 (O2 is the only network that has decent coverage out where we live).

    I wish people would just stop moaning all the time. It's depressing - software is complex, especially multi-threaded, real-time stuff. It will always have holes regardless of who made it - the whole iOS/Android/Windows/Linux/whatever is just navel gazing. Get a life (and a tin-foil hat), guys (and you are almost exclusively guys). It really isn't that important.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019