back to article July is here – and so are the latest Android security fixes. Plenty of critical updates for all

Google today posted a fresh round of Android security fixes. The July update addresses a total of 33 CVE-listed vulnerabilities, nine of them classified as critical risks. At the basic 2019-07-01 level, a dozen bugs are addressed. Five of those would allow for remote code execution if exploited; three (CVE-2019-2106, CVE-2019 …

  1. Paratrooping Parrot
    Facepalm

    If only

    Security updates seem t only appear if you bought your device within the last year. You may be lucky that your phone is supported by LineageOS. This is one of the major flaws with Android ecosystem. Many cheap devices come out, but they never get updates. I have been lucky that my Samsung Galaxy s7 had updates a few months ago, not sure how long that will last though.

    1. Bowlers

      Re: If only

      Updates, security fixes, not if you're an abandoned Google Nexus 9 customer. Does any manufacturer offer updates after the first year of ownership?

      1. Sartori

        Re: If only

        My Nokia 8 is still getting the security updates every month, which I think is pretty good for a phone that didn't cost me all that much. They tend to pop up a couple of weeks or so after the Google release.

        1. Down not across Silver badge

          Re: If only

          My Nokia 8 is still getting the security updates every month

          It probably helps that Nokia 8 is more or less stock android with no crap on top. I suspect the later Nokias with "AndroidOne" are even better with regards to updates. Very happy with the phone and excellent value when its price dropped to ~200 quid.

          1. Graham 32

            Re: If only

            I have a Nokia 6.1, which is an AndroidOne model, and the latest update is "patch level: 1 Feb 2019" which was delivered IIRC in April.

            When I first got it there was a patch every month, but that soon stopped. The value of AndroidOne seems to be zero.

            1. Down not across Silver badge

              Re: If only

              The value of AndroidOne seems to be zero.

              Ouch. I concur, AndroidOne clearly does not live up to the expectations. Shocking that my pre-AndroidOne Nokia 8 is patch level June 2019, and the newer, what I'd expect to be even more stock Android, phone is behind on patches.

          2. cdrcat

            Re: If only

            I have the Nokia 7+, last security update 1 April. It is an AndroidOne phone.

      2. Charlie Clark Silver badge

        Re: If only

        It's one of the reasons why Google changed things in Android 8 and 9 so that they can push most security updates without waiting for the manufacturers or networks. Would be interesting to see some data on how well this is going.

        1. Neil 44

          Re: If only

          No security patches on 8.1 on Nexus 5x since December - so not that wonderful...

      3. Anonymous Coward
        Anonymous Coward

        Re: If only

        "Updates, security fixes, not if you're an abandoned Google Nexus 9 customer. Does any manufacturer offer updates after the first year of ownership?"

        Apple does :-)

        1. Bebito

          Re: If only

          Yeah - to slow your iPhone down and make you buy a newer one!

      4. deive

        Re: If only

        The Nexus 9 is 5 years old??

        https://www.gsmarena.com/htc_nexus_9-5823.php

        I would say that this is poor as well, but it's not 1 year.

      5. Anonymous Coward
        Anonymous Coward

        Re: If only

        Apple....

        Supposedly my Sony Xperia Z5 compact stopped receiving updates in 2017 because Qualcomm stopped releasing drivers for the CPU.

        Unfortunately the newer Xperia models seem like they have at least one feature which is a step backwards and so far the only other phone in this size and spec is Apple.

    2. big_D Silver badge

      Re: If only

      My Mate 10 Pro is 18 months old and still getting updates. My wife's P-Smart is also 16 months old and got Android 9 last month and has had security patches every month. My P20 is a year old and it is also still getting patches.

      So, Huawei at least provide patches. I believe they provide 3 years worth of patching, but I'm not 100% certain.

      Samsung now also deliver a similar level of patching, I believe. My colleagues S7 got Android 9 and gets regular updates.

      Edit: In fact, I got an update for the P20 this morning.

      1. Ryan Clark

        Re: If only

        My P10 was doing quite well, but I am still on Jan 2019 Android security update so it looks like they might have stopped now. Phone is two years old this month.

    3. WonkoTheSane Silver badge
      Headmaster

      Re: If only

      IIRC, Google's own devices receive OS updates for 2 years, and security patches for 3.

    4. Anonymous Coward
      Anonymous Coward

      Re: If only

      My Samsung S8 is still getting plenty of updates.

      It's now on Android Pie and working better than ever.

    5. Captain Scarlet Silver badge
      Facepalm

      Re: If only

      Moto G7 Power - Up to date apparently, but dated December 2018.

      Its not a carrier one and I have already asked support when they will update it (Apparently May 2019 builld according to Motorola Support was due to be released soon, that was over a month ago).

      Although I don't have an issue with the phone I am deeply disappointed Motorola have not updated the UK version of the G7 Power since its release.

    6. Anonymous Coward
      Anonymous Coward

      Re: If only

      >This is one of the major flaws with Android ecosystem.

      Not just android, there a mountain of shit out there that doesn't get patched that connects to the Internet. I'm of the opinion the manufacturers and software vendors who no longer support a product security wise should be legally forced at the very least to release the full source code.

      We can not afford to continue to have this throw away culture.

    7. e^iπ+1=0

      Re: If only

      Just keep it airgapped, you'll probably be okay.

      Works for me.

      Otherwise, try removing the battery.

  2. _LC_ Silver badge
    FAIL

    "remote code execution" "the Android media framework"

    A head-to-head race with Adobe's Flash Player.

    1. Steve Graham

      Re: "remote code execution" "the Android media framework"

      I found this week that if Media Storage stops working, then Download Manager stops working, causing Play Store to stop working. So you can't update the app that borked Media Storage.

      No error handling either. Just out-and-out crashes.

      1. Charlie Clark Silver badge

        Re: "remote code execution" "the Android media framework"

        Media storage isn't the same as media framework. IIRC nearly all such frameworks are, almost inherently, vulnerable due to the access they give to hardware required to play whatever it is.

        What app caused Media Storage to break?

      2. _LC_ Silver badge

        Re: "remote code execution" "the Android media framework"

        I hope Huawei pulls this off and doesn't back down. Another OS can only be better. Android is such a turd and Apple's dog leash I really don't want put on now.

    2. LDS Silver badge
      Joke

      "A head-to-head race with Adobe's Flash Player."

      Maybe they copied from Flash too, not only Java... just Adobe is too shamed to out it.

  3. Beardedtit

    Carephone warehouse are also still selling devices running android 5.0.2.

    The number of vulnerabilities in that doesn't bear thinking about.

    1. TechnicalBen Silver badge

      Or the useability. Those devices were given poor hardware to begin with, and the code bloat ran out of control (they were nice and simple to use, about bearable, but video resolutions and website features just ran away ahead of the devices ability).

    2. nkuk

      Potential vulnerabilities and actual in-the-wild exploits are two completely different things though. It could have a million vulnerabilities but that's not a problem unless they can actually be exploited.

      1. _LC_ Silver badge
        Alert

        Oh, but they are...

        "Potential vulnerabilities and actual in-the-wild exploits are two completely different things though. It could have a million vulnerabilities but that's not a problem unless they can actually be exploited."

        They can - and - are. If you're an investigative journalist, member of the opposition, environmentalist or something like that, the spooks turn your phone into a wiretap bug.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020