back to article Google melts 78 Android security holes, two of which were critical

Google has crushed 78 Android security flaws in its October bug blitzkrieg, repairing critical core Android services along the way. The patch parade sees the tech giant return to a high-double-digit patch run after issuing only 47 fixes last month and a whopping 103 in August. The updates are split into essential Android …

  1. Trevor_Pott Gold badge

    Here's betting my Galaxy S5 never sees a single one of these patches. A terrible phone by an increasingly terrible company.

    1. David Roberts Silver badge

      Galaxy S5

      Mine seems to be still getting regular updates.

      Then again I bought it SIM free, I don't know if this makes a difference,

      1. Ru'

        Re: Galaxy S5

        Mine is regularly updated too; certainly would point to the local phone provider rather than sammy being to blame for the OP's missfortune.

        1. Dan 55 Silver badge
          Trollface

          Re: Galaxy S5

          Blame Canada!

          1. Trevor_Pott Gold badge

            Re: Galaxy S5

            "Blame Canada!"

            If the carriers are the ones holding up patches, Samsung shouldn't be giving them the option to customize ROMs. Period.

        2. Trevor_Pott Gold badge

          Re: Galaxy S5

          "Mine is regularly updated too; certainly would point to the local phone provider rather than sammy being to blame for the OP's missfortune."

          Mine is patch level "June 01 2016". That's quite some time ago. Even that didn't bring the phone fully up to date for June 1, 2016. Prior to that, there was more than 6 months between patches. Not okay.

          None of the patches actually seem to solve any of the fundamental issues with the device either. Driver issues, touch screen issues, wakelocks, terrible connectivity...

          The S5 is a piece of shit, and so are all the modern "flagship" Samsung phones. Samsung used to be good. Now they peddle neglected crap. Simple as that.

    2. Charlie Clark Silver badge

      FFS, Trevor. I've got an S5 (picked it up second hand a year ago) and it's a great phone.

      Pursue Samsung via the consumer rights channels where you live (Canada?) as this is only way to effect change. In the meantime just stick CyanogenMod on and you'll get all the security updates. This may be far from perfect but makes you sound less of entitled millennial dick.

      1. Doc Ock

        @ Charlie,

        But why should Trevor have to put CM on it in the first place to compensate for Samsung's shit (no) support policy and complete indifference to the customer ?

        A sorry situation replicated in the domestic router market leaving people wide open, it's about time companies were legally obliged to provide at least 5 years security updates (not unreasonable) and to be delivered in a timely manner.

        This will only be solved by legislation and large fines.

        The IoT really scares me not because of what it can do but what will not be done.

      2. Dan 55 Silver badge
        WTF?

        Things I learned today

        If you don't want your phone spamming premium numbers, DDoSing websites, mining bitcoins, and sending your contact data off to Russia, you're an entitled millennium prick.

        1. sabroni Silver badge

          Re: Things I learned today

          Why all the Samsung hate? Do any Android manufacturers (who aren't Google) patch regularly?

          Maybe Google have something to do with this? Shouldn't they have put a decent update mechanism in place?

          MS get shit on here all the time for Windows Update being crap (becuase it is) but at least it exists which is more than can be said for the generic Android Update service.

          1. Syntax Error

            Re: Things I learned today

            Samsung rightly get shit. They are a massive company who should no better. They should be aware of internet security.

            Some of their crap IoT like this http://www.samsung.com/us/explore/family-hub-refrigerator/

            Wonder if you can update the firmware on this very expensive baby. .

          2. Trevor_Pott Gold badge

            @sabroni

            "Why all the Samsung hate?"

            The poor quality of any post Galaxy S 2/Note 2 Samsung phones. Understand, I loved both the S2 and the Note 2. The drivers on the stock ROM worked. The stock ROM was stable. The modding community managed to pull all the bits out they needed to make truly amazing third-party ROMs. Truly this was the heyday of Samsung devices.

            Today I have tried the S5, S6, S7 and Note 3. All have various problems that go beyond exploding batteries or bad updates. The S5, for example, has a laggy and terrible touch screen driver. Taps are recorded erratically, not always where they're supposed to be, and the delay between tap and recognition can be up to three seconds long.

            All of these phones have awful Wi-Fi that drops out randomly, abysmal 3G and LTE reception and every single one of them ships with at least one application or configuration that wakelocks the phone and drains the battery astonishingly quickly.

            Look, I know Android. I know how to get in there and rip out (most) of the miserable bits, configure the thing to (mostly) not suck, solve driver issues etc. What I'm saying that I shouldn't have to. The damned things should just work. The stock ROMs should come with drivers that do what they're supposed to out of the box, be tested for wake locks, not have bizzare lags or glitches etc and so forth.

            Samsung used to ship a polished product. A quality device with a quality ROM that an engineer could be truly proud of and customers enjoyed using.

            Now all they ship are jars of shitinase and it's high time we stopped paying them for the favour.

            "Do any Android manufacturers (who aren't Google) patch regularly?"

            Not that I know of. Part of the problem, but, oddly, a separate problem from the bit that really makes me hate Samsung.

            1. Nate Amsden Silver badge

              Re: @sabroni

              I've been using a Note 3 since a couple months after it came out (the one and only Android smart phone I have owned). I have two now, my main one running 4.4.4 and a backup running 5.0 (wish there was an easy way to get it to 4.4.4, tried once got too close to bricking it and haven't tried since). No real complaints, only issue I have on 4.4.4 is I can no longer make a phone call in multi window mode with the calendar up at the same time, phone app goes full screen, didn't used to do that. Annoying when I am calling into a conference bridge and trying to read the conference code from the calendar.

              Android 5 on note 3 (AT&T note 3 in both cases) is worse, I read some of the isues are fixed in newer android 5 but those are not available. I really don't like the "recently used apps" feature in android 5 that drives me crazy. Also am not fond of the newer UI in 5.0.

              I'm happy with 4.4.4 though, as happy as I think I could be anyway. Before that I was a WebOS user for a few years, and long before that Blackberry.

              For the most part I stopped updating my apps too unless I really need to, too many things change that make them worse and there's no way to roll back to earlier version. Weather.com app I like, at least the version on my android 4 device, on the android 5 it worksok but not as good. I did roll back the Samsung health app on my note 3 after an upgrade prevented it from going to landscape mode, though I lost all of the data in the process.

              So many issues could be fixed I think if there was just an easy way to roll back, whether it is apps, or full phone OS. Too much risk of shit breaking or not acting the way I am used to with upgrading, so not worth the risk.

              I am very careful as to what I do on my phone of course, obviously no banking, or online purchases of really any kind. Am careful in other ways too. Security wise I think the risk is low. Risk much higher for a frustrating user experience though.

              Which is what makes me like Linux Mate so much, Ubuntu 10.04 LTS UI was the best UI of any linux I have used(20 years now), and was very afraid to jump to Gnome 3, then MATE came out and saved the day.

              Windows 2016 just came out too right ? and here I am deploying fresh Windows 2008 R2 servers because I prefer the UI on those too over 2012(have a few of those with classic shell) and up. Though 98% of my systems are linux.

      3. Trevor_Pott Gold badge

        @Charlie Clark

        Hey, buddy, howzabout you go eat a bag of mouldy dicks? Cool? Cool.

        A) There is no way I have the money to take on Samsung in the courts. You're a funny guy.

        B) Cyanogenmod for the S5 is a bucket of shit-covered shit in shit sauce. Don't know if you've been paying attention, but third party ROM support for Samsung mobiles has been awful ever since the S2. There is always something that doesn't work properly that makes it even worse than the stock ROM.

        C) The idea that having to load a third party ROM to get security updates is somehow acceptable makes you sound like an out of touch technocrat who hasn't had a dalliance with a member of their preferred gender in years. The part where wanting my phone to just fucking work is something you believe makes me "an entitled millennial dick" makes me want to force-feed you the aforementioned bag of mouldy dicks just for being an asshat on the internet.

        Cheers and beers.

        1. Charlie Clark Silver badge

          Re: @Charlie Clark

          There is no way I have the money to take on Samsung in the courts.

          But I didn't say that. I think it's terrible the way the companies behave. I don't know the setup in Canada but I'm referring to things like the action currently being led by the Dutch consumer rights authorities to try and enforce timely distribution of security patches. I assume you have something like a consumer advice bureau in Canada. If enough customers get up of their fat, lazy, entitled arses and start complaining then the authorities might take action.

          My S5 with CM is fine. Wifi isn't at all patchy if a bit greedy. I don't have a 4G SIM but 3G is fine. I have Samsung phones for about 10 years now and they've all been pretty good.

          The idea that having to load a third party ROM to get security updates is somehow acceptable

          See above: I do think that the companies should be doing a lot more but in their absence I'd rather do something rather than nothing. Bitching about Samsung, or any other company, on an internet forum certainly isn't going to change anything. And if it makes me an asshat to point this out, then I'm happy to be one.

          1. Trevor_Pott Gold badge

            Re: @Charlie Clark

            Consumer rights groups in Canada have little power, less funding and shockingly few rights. I also don't see how it is on me, personally, to steer a ship like that which is run by it's own group of people. I can (and have) recommended action to some of the consumer rights groups here in Canada, but bear in mind that these organizations have their own staff, with their own power structures and their own priorities.

            Incidentally, bitching online does have a purpose. It makes me feel better. Also: it causes debate and discussion which may lead to additional people choosing not to buy from Samsung. All of that is a Good Thing. The more people choose a different vendor the more financial pressure there is on Samsung to change their ways.

            And make no mistake about it, the only thing that will get Sammy - or any other enterprise - to alter their behaviour is financial pressure. Customer rights groups and government pressure ultimately result in irrelevant changes decades after the issue arises.

            Lastly, posting about just how much Samsung sucks annoys you, personally. Don't underestimate how much satisfaction I derive from irritating you and everyone else like you who state that wanting a phone to just fucking work (and/or be patched regularly) makes one an "entitled millennial dick".

            Also: if I can offend, irritate or dismay any brand tribalists at any time, then whatever efforts I engage in to do so are not wasted. Brand tribalists are among the most evolutionarily unfit members of our species, and I greatly desire to see them selected against. Causing them to expose their own irrationality is one means by which I can help ensure this occurs.

            So, in conclusion: shitposting about Samsung has value to me in layers.

            Cheers.

            1. Charlie Clark Silver badge

              Re: @Charlie Clark

              Also: if I can offend, irritate or dismay any brand tribalists at any time

              Whoosh.

        2. Ilsa Loving
          Thumb Up

          Re: @Charlie Clark

          >> Hey, buddy, howzabout you go eat a bag of mouldy dicks?

          >> ...is a bucket of shit-covered shit in shit sauce.

          >>sound like an out of touch technocrat who hasn't had a dalliance with a member of their preferred gender in years.

          You are my hero.

      4. Jeffrey Nonken Silver badge

        I've got a Galaxy S4, which is stuck at at 5.0.1 (not even the latest Lollipop). After many hours of experimentation, Google searches, trial and (mostly) error I've gotten CM13 running on my main phone. The biggest problem was getting data to work on Ting (Sprint MVNO), but this morning I found a magical patch that somebody had made and posted.

        So if I make a reasonable effort I can keep my S4 patched, yay! But I also realize it's not for everybody; two of the other three S4 phones in my household are still on stock ROM because the users aren't as fiddly as I am. (But they are also out of room, if only because their phones have a butt-ton of useless apps they can't uninstall. Thanks, Google. Thanks, Samsung. Thanks, Sprint. Anybody else want to put their crap on my phone? Because there's still room, as long as I don't actually turn it on and try to use it.)

        The fourth S4 is a spare Freedompop phone I use to experiment on. There's a certain symmetry in the fact that the Ting patch is just a modified version of the patch I use on the Freedompop phone.

        So hey, that's me sorted. But it's a hassle I shouldn't have had to engage in any more than Trevor. But at least I'm not an entitled millennial dick. Me, I'm an entitled baby boomer dick.

        1. Charlie Clark Silver badge

          Me, I'm an entitled baby boomer dick.

          Will you settle for "grumpy old git"? ;-) Getting rid of all the crapware is another reason to root and mod. But you're right, it's not for everyone and can be harder on phones that were customised for particular networks and it seems that virtually every Samsung has a special Sprint version.

    3. kend1
      Pint

      Samsung updates

      @Trevor_Pott

      Samsung does produce monthly updates. http://security.samsungmobile.com/smrupdate.html#SMR-OCT-2016

      "Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process."

      I have the S5-mini and 6 months between updates sounds spot on. Daughter's Verizon S6 was just updated on Sept 27 2016.

      1. Trevor_Pott Gold badge

        Re: Samsung updates

        Assuming that Samsung are releasing those updates to anything other than the very latest models every month (and given the delays in getting Marshmallow onto the S5, I don't believe that's that case), there is still the issue of those updates not getting out to actual customers.

        Pointing the finger at the carriers pointless. There are squillions of carriers and ISPs in the world and they have collectively proven time and again that they can't be trusted. Whether the issue is updating their Android images or delivering IPv6 connectivity in a G7 nation (like Canada), carriers and ISPs don't care about standards, security or usability.

        So why are phone manufacturers like Samsung even giving these carriers the choice? Samsung (and everyone else) should be bypassing the carrier lockdowns altogether and allowing end users to receive (at least) monthly updates.

        But, like everything else about their phones, Samsung just doesn't care. Minimum effort for the minimum viable product is the name of the game. :(

        1. cambsukguy

          Re: Samsung updates

          Windows Phone may get a lot of flak in these parts but my Lumia 950 gets updates regularly, many additions are app improvements of course but the system get security updates and sometimes a completely updated system (viz Anniversary Update).

          I have no idea about these touch screen issues and exploding batteries although issues do exist of course - I would like the Iris recognition to go out of Beta for instance (presumably it would be faster/instant and work in bright sunlight better).

          As for contemplating a third party ROM, madness I say, I have to agree with Trevor here (weird) but it does beg the question "Why use an S5 at all if you don't like it?", required for work?

          My Samsung TV woes, documented here previously, and the fact that I sort of worked for that shabby outfit, stops me buying one anyway, ever, TVs, Fridges, anything. Luckily, I don't have to.

          I do, however, have to keep worrying that MS will stop making cell phones or that HP, Asus et al. make them and they are as good (specifically, the camera).

          Still got two years safe use on non-Android before I have to worry at least.

        2. Doc Ock

          Re: Samsung updates

          >>But, like everything else about their phones products, Samsung just doesn't care. Minimum effort for the minimum viable product is the name of the game. :(

          I can attest to that having possession of a S2 T810 and just how fucking long it took Samsung to pull their finger out of their ass (not the carrier) and deliver a Marshmallow update to the UK. Take a look at what Motorola do, no fucking silly skins to slow the roll out.

          It was a close run thing buying the Samsung or a new Ipad, it was a choice of which was marginally less shit but SD cards and being able to run FF whilst avoiding Safari swung it in the end. However it is a reasonable tablet, battery life could be better.

  2. Anonymous Coward
    Anonymous Coward

    Android OS

    is a Security Hole.

    All your data are belong to anyone Marissa Mayer jumps into bed with..

    1. Planty Bronze badge
      Stop

      Re: Android OS

      Originally iOS is right at the top of 2015 CVE list, and also 2016 so far too.

      The difference, Apple don't present the information in a way that's easy to churn for lazy hacks.

      1. Jeffrey Nonken Silver badge

        Re: Android OS

        My biggest problem with Apple is the walled garden. I actually like the iPhone, but Apple likes to keep too much control. It might be forgiveable if they did a better job, but their apps curation has the consistency of throwing darts blindfolded with their backs to the dart board. And if you jailbreak the phone, instead of merely washing their hands of you, they've been known to actively try to destroy the phone. Control freak much?

        Anyway, mixed feelings. Not sure what I'm going to buy when I go for my next phone.

    2. Anonymous Coward
      Anonymous Coward

      Re: Android OS

      My God, you sound just like those smug Linux users who parrot the same about Windows. It's as if you cannot grasp that a platform's popularity influences vulnerability interest and research.

  3. Anonymous Coward
    Anonymous Coward

    "Affects Nexus" .... do all Nexuses get these security updates? Wondering as since my Nexus5 appears not to be getting Nougat as to whether it will get security updates as well. Thogh since to guarantee getting updates seems to involve spending £599+ on a Pixel then a N5 on Marshmallow with no security updates is probably as secure as a new ohter manufacture phone still on Marshmalow and getting no security updates

    1. Anonymous Coward
      Anonymous Coward

      Yes, M4B30X 2 days old.

      Keep up....

      1. Anonymous Coward
        Anonymous Coward

        Actually it only arrived on my N5 this morning ... but at least it confirms its still getting security updates for now

  4. RyokuMas Silver badge
    Devil

    Patch dates

    If you own a Pixel phone - tomorrow. Anything else... well...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019