back to article Patch your Android, peeps, it has up to 14 nasty flaws to flog

Another month, another round of Android patches – although October's batch is pleasantly small compared to other recent releases. Of the 14 CVE flaws released, six cover Android's troubled media processing and playback engine. This means miscreants can fling malicious files at devices to potentially hijack them. The privilege …

  1. Long John Brass Silver badge
    Pirate

    and will be pushed out to phones this month

    Nope

    By the vendors some time next year

    And by the telcos some time in the next decade

    1. Lysenko

      Re: and will be pushed out to phones this month

      Depends on the vendor. The Sept 1st patch set landed on my WileyFox on Sept 8th, which is about normal for them.

    2. Anonymous Coward
      Anonymous Coward

      Re: and will be pushed out to phones this month

      Google + Linux + Java = it would be hard to make security any worse...

      1. Version 1.0 Silver badge

        Re: and will be pushed out to phones this month

        How about Google + Linux + Java + OOP ?

    3. Dr Mantis Toboggan
      FAIL

      Re: and will be pushed out to phones this month

      Yep, all my devices updated overnight and were patched this morning....

      But then I wasn't stupid enough to buy the cheapest shite on the shelf and thought it would come with premium support.

    4. Chemical Bob
      Devil

      Re: and will be pushed out to phones this month

      "And by the telcos some time in the next decade"

      You're an optimist...

  2. OffBeatMammal

    sigh. still stuck on 7.1.2 (Aug 5 2017 update) on my Nexus 5x

    would be more inclined to think they cared if they actually delivered patches to existing devices in a timely manner...

    1. Anonymous Coward
      Anonymous Coward

      Lucky. I'm still on 7.0 with the April patches on my LG G5 and they don't even care about dealing with patches now that the newer phones are out and resort to blaming carriers instead when they aren't even pushing them to the phones direct from them and never locked to a carrier...

      At least on the Nexus phones you have some hope of getting them.

      1. Anonymous Coward
        Anonymous Coward

        7.0? You're lucky. My Moto G (1st gen) hasn't had an update since 5.1 in 2015.

        This phone was sold from Nov 2013 to Sep 2014, so it's not exactly ancient, unless you really believe we should be throwing away functional hardware every 1-2 years.

        1. MyffyW Silver badge

          unless you really believe we should be throwing away functional hardware every 1-2 years.

          @AC no, I don't believe that but I agree the software release regime is pushing one to that conclusion. The actual innovation at the core of the phone (CPU, Memory, Storage and Battery) is trivial from one "generation" to the next however the lack of software support forces one to consider a 3 year old phone obsolete.

        2. TReko

          Modularity

          The problem is that the Android patches are so closely tied to the hardware. They often require a complete new OS image of a few hundred megabytes.

          I'm not a fan of Windows update, but a Windows patch does not care much if you are running on a Dell or a Lenovo or a beige box. It just works, normally. So does PC Linux.

          1. Anonymous Coward
            Anonymous Coward

            Re: Modularity

            Because it's got a HAL like android has now....

            https://android-developers.googleblog.com/2017/05/here-comes-treble-modular-base-for.html

      2. CrazyOldCatMan Silver badge

        At least on the Nexus phones you have some hope of getting them.

        Or, at the very least, heading over to XdaDevelopers and finding a decent custom ROM based on LineageOS..

    2. pLu

      > sigh. still stuck on 7.1.2 (Aug 5 2017 update) on my Nexus 5x

      I just got the Oct 5 2017 update for 8.0.0 on my Nexus 5X.

    3. Neil 44

      Why? The Oreo images are out there on the Google servers for your use...

      Nexus Root Kit will flash them for you (you don't have to be rooted - it'll just flash the factory images) - though you do have to download the file yourself. I'll flash in "no wipe" mode.

      1. pLu

        I enrolled in the Oreo beta during the summer and got an OTA update. Had to exit the beta though to get the security updates.

    4. Cynical Observer

      In response to the two AC responding lucky....

    5. hellwig Silver badge

      My LG G4 is stuck on Android 6.0, and my "Android security patch level" is "2017-04-01". No security updates since April? Wonderful!!!

      1. Barry Rueger

        Oh Canada. My G4 is also on 6.0, but 2027-03-01.

    6. Anonymous Coward
      Anonymous Coward

      October 2017 OTA patch.

      https://dl.google.com/dl/android/aosp/bullhead-ota-opr4.170623.009-3d87beab.zip

  3. Anonymous Coward
    Stop

    And people mock me

    … because I use iPhone and Macs.

    Please remind me, how many apps has Google pulled this year due to them containing malware? And how many has Apple pulled for the same reason?

    And let's face it. Apple do release patches quite often. Now how often do android users get patched?

    Maybe, just maybe, Apple is better at security?

    Just saying

    Cheers… Ishy

    P,S, I do have a Sony telephone. It looks and feels much nicer than iPhone. I just don't trust it to run apps. They always ask for too many permissions. Don't have that problem with iPhone

    1. RyokuMas Silver badge
      Big Brother

      Re: And people mock me

      "Maybe, just maybe, Apple is better at security?"

      Oh no no no no no. You just can't say stuff round here. Repeat the mantra after me:

      "Open - good, walled garden - bad. Open - good, walled garden - bad."

      Ignore the fact that "Open" these days means "closely tied in with a suite of proprietary support systems that it is almost impossible to operate without."

      Conform.

      1. Charlie Clark Silver badge
        Facepalm

        Re: And people mock me

        You just can't say stuff round here.

        You might want to see a doctor about getting that chip removed from your shoulder…

    2. MyffyW Silver badge

      Re: And people mock me

      @Ishtiaq I wouldn't be rude enough to mock anybody for their choice of operating system. That's because I value choice. That said I personally find it difficult to justify paying twice the price for a phone or tablet from Apple versus a me-too Android. But I do respect the fact you attach a different value to things than I do. It makes the world an interesting place to live in and explore.

    3. Charlie Clark Silver badge

      Re: And people mock me

      @Ishtiag Apple is far less open about security than Google and releases updates far less frequently. That said, the lack of large infections of either Android or IOS are testament to improvements in OS security since Windows XP.

    4. Anonymous Coward
      Anonymous Coward

      Re: And people mock me

      I use an iphone, I'm now being pestered to update to the latest IOS which no doubt will slow my little SE down. Strange how these updates come out after a new phone is released.

      Maybe I'm being paranoid..

    5. David Nash Silver badge

      Re: And people mock me

      "I just don't trust it to run apps. They always ask for too many permissions. Don't have that problem with iPhone"

      I too had a Sony phone a few years ago, it was very good.

      Provided you get apps from the authorised Google Play Store they are almost certainly not malware. And you can refuse individual permissions for apps nowadays. Unlike with Apple, if I understand correctly.

  4. Tromos
    Joke

    Flaws affect Android 4.4 to the current version.

    Good job I'm still on 3.2 then.

    1. MyffyW Silver badge

      Re: Flaws affect Android 4.4 to the current version.

      I'm still on 3.11 ... but the about screen says "Windows for Workgroups", is that going to be a problem?

  5. Timmy B Silver badge

    Oneplus not doing bad

    I'm on 7.1.1 with 1st August 2017 security patch level on my OP3. Generally quite impressed with them. Though why change the phone app so that down picks up and up hangs up? Daft choice.....

  6. Jamie Jones Silver badge

    "Patch your android"

    LOL!

  7. wyatt

    Which is more secure, old phone with a version from a trusted source or an old phone on the latest version you downloaded from somewhere on the internet? Neither.. people worry about the IoT being insecure, there's so much more which industry abandons as it isn't profitable.

    How this can be fixed I don't know, there are so many variations with software. Only way to control it would be like Apple, where devices are locked down from user access fairly well. Always a way round though (eventually).

    I'd go for user education, take some responsibility for what you're doing and do it better/put in working practices which make you more secure. Maybe then when users realise they're not secure/at risk they'll push back and manufacturers will take notice.

    1. Paul Crawford Silver badge

      Re: "I'd go for user education"

      Sorry, that simply won't work. The only thing that will make suppliers & importers take notice is liability for unpatched flaws after a certain time. You know the sort of thing that would happen in the traditional hardware world of cars, etc, when some safety factor comes to light.

      Much as I distrust government meddling in technology, having some legal standards for, say, 5 years after the sale of any "connected device" would be a more workable answer. Sure those companies will bitch about profitability, etc, but the reality is they are currently shitting on the consumers by not doing it right in the first place (and by "right" I mean having a proper system for support and patching planned for and used, as some bugs are inevitably going to happen).

      1. wyatt

        Re: "I'd go for user education"

        Whilst I do agree, it'd be hard/impossible to do there's nothing in place to have suppliers take on liability and getting that in place would be impossible.

        My central heating boiler is was under warranty, as long as it was installed correctly and on a well designed heating system. All the manufacturer has to say is that it hasn't been done properly and they're excluding any claim. There's so much wriggle room that can be used that devices would never be supported for a reasonable period.

  8. Anonymous Coward
    Anonymous Coward

    CP/M for Ever

    Yeah!

  9. mark l 2 Silver badge

    My guess is that around 50% of Android devices that are still in use will never see these or any other updates.

    I have a old unbranded tablet from 2013 that is still running Jellybean which i have rooted but can't find any newer ROM version for, but it works fine for BBC iplayer connected to a bedroom tv

  10. Pink Duck
    Go

    Tip

    Pleasingly since I have Lineage OS on my ageing Samsung Galaxy S3 the patches are going to be available to my phone shortly.

    1. Inventor of the Marmite Laser Silver badge

      Re: Tip

      +1 - it's also a wonderful thing to get away from Samsung's bloatware. Makes the S3 almost a pleasure to use.

  11. J J Carter Silver badge
    Trollface

    Too late...

    I don't fancy digging through the landfill looking for my Android phone

  12. Anonymous Coward
    Anonymous Coward

    If it helps...

    My 2014 IPhone 6 Plus just got the latest iOS 11.0.1. It all went very well, since you ask.

    1. Jamie Jones Silver badge

      Re: If it helps...

      .... and still cost you more than if you bought a new android phone every 6 months.... Just saying.

    2. Anonymous Coward
      Anonymous Coward

      Re: If it helps...

      And now iOS 11.0.2. Again, all went well. Anyone here ever get an Android update? (Buying a new phone doesn't count).

    3. Anonymous Coward
      Anonymous Coward

      Re: If it helps...

      That would be the version where turning off Bluetooth and WiFi in the command center lets you think this has happened but doesn't actually do it... because that might inconvenience some Apple apps.

  13. Orv Silver badge

    My ZTE phone just got the September 1 update, so I might see this round about mid-November. Actually that isn't too bad compared to other Android phones I've owned.

  14. Lorribot

    Patching....

    There's three ways to do patching

    Control just the software and spend years refining the patching process with vast amounts of in house testing to ensure 90% compatibility and then if anything breaks you did your best

    Abdicate responsibility for the delivery of patches to 3rd parties who are only interested in selling new stuff and customize your OS so everything will break, then its their fault when stuff does break or their customers get hacked.

    Control Hardware and software so patching is simple and pushed to every device (except where they pass control of patching to third parties for some hardware who ......)

    Two of them work, one doesn't, take you pick

    Class action anyone?

    1. Jamie Jones Silver badge

      Re: Patching....

      If someone wants to restrict *my* access to the device I use, they can pay me for the privilege.

      1. Anonymous Coward
        Anonymous Coward

        Re: Patching....

        Whatever.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019